Splunk Search

## Table Creation: Evaluating the sum of fields and displaying them grouped by another field

Explorer

I have a bit of a data that looks like

``````base search term
| eval varA = fieldA/3
| eval varB = fieldB/36
| eval varC = varA * varB
| stats sum(varC) by NAME.
``````

Where NAME is the value of another field - i.e., we have a bunch of data [vars A, B, and C] from one source, NAME. This code displays data in the format that I want: a statistics page with the sums of varC by NAME.

However, I am trying to generate a table of the format

``````NAME | varA | varB | varC | Performance
``````

Where Performance checks to see if varC is >= a given number.

What is the Splunky way to do this? I'm trying not to get into bad habits.

Tags (3)
1 Solution
Revered Legend

Try this

``````base search term
| eval varA = fieldA/3
| eval varB = fieldB/36
| eval varC = varA * varB
| table Name varA varB varC
``````

Now if you could explain what values should varA varB and varC should contain if aggregation needs to be done, we can include a stats command instead of table command. E.g. like you want to do max of varA and varB and sum of varC, just replace `| table Name varA varB varC` in above query with `| stats max(varA) as varA max(varB) as varB sum(varC) as varC by Name`.

Revered Legend

Try this

``````base search term
| eval varA = fieldA/3
| eval varB = fieldB/36
| eval varC = varA * varB
| table Name varA varB varC
``````

Now if you could explain what values should varA varB and varC should contain if aggregation needs to be done, we can include a stats command instead of table command. E.g. like you want to do max of varA and varB and sum of varC, just replace `| table Name varA varB varC` in above query with `| stats max(varA) as varA max(varB) as varB sum(varC) as varC by Name`.

Motivator
`````` base search term
| eval varA = fieldA/3
| eval varB = fieldB/36
| eval varC = varA * varB
| eval Performance = if(varC >= X, Good, Bad)
| stats sum(varC) by NAME, Performance
``````

Depending on what you want for the value of Performance you can just add in a quick eval with an IF or a Case to set the field then add the field to your stats. State of Splunk Careers