Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Total of 2 rows

g_paternicola
Path Finder
‎06-01-2021 05:51 AM

Hi everyone, I have a table which gives me 2 fields Username and Duration. How can I dedup the Username and add the total of the Duration in one row?

g_paternicola_0-1622551839751.png

Thank you very much!

Labels (2)
Labels
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎06-01-2021 07:26 AM

@g_paternicola 

Can you please try this?

YOUR_SEARCH
| rex field="Duration" "(?<hours>\d+)h:(?<minutes>\d+)m:(?<seconds>\d+)s" 
| eval Duration = ((hours*60*60)+(minutes*60)+(seconds))
| stats sum(Duration) as Duration by Username
| eval Duration=tostring(Duration,"duration")

 

My Sample Search :

| makeresults 
| eval Username="A", Duration="0h:40m:42s" 
| append 
    [| makeresults 
    | eval Username="A", Duration="1h:40m:42s"] 
| rex field="Duration" "(?<hours>\d+)h:(?<minutes>\d+)m:(?<seconds>\d+)s" 
| eval Duration = ((hours*60*60)+(minutes*60)+(seconds))
| stats sum(Duration) as Duration by Username
| eval Duration=tostring(Duration,"duration")


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-01-2021 06:32 AM

The stats command will do that.

... | stats sum(Duration) as Duration by Username

For it to work well, however, the Duration field must be a number rather than a string.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

g_paternicola
Path Finder
‎06-01-2021 06:53 AM

yeah, I also believe that, because I didn't get any results on the Duration

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...