Splunk Search

addtotal/addcoltotals issue

zachvida
Path Finder

Hello fellow Splunkers!

ipc=ipc1-r6c10 Intake-Temperature=70 Exhaust-Temperature=82 Humidity=44% Amps=6 Voltage=351 Watts=2106

ipc=ipc1-r6c11 Intake-Temperature=64 Exhaust-Temperature=81 Humidity=55% Amps=14 Voltage=349 Watts=4886

ipc=ipc1-r6c4 Not responding

Given the preceding with many more ipc(power controllers) each as it own event, how do I generate the total Wattage across all IPC's for a given polling period? The script that generates these events runs every 10 minutes.

So far I have figured out how to group the events for a given polling period as one event with transactions:

index="datacenter-stats" | transaction maxspan=350s

Now I want to sum Watts for each event in its own column; However, when I try to add up the Watts totals the resulting table always has nothing in the TotalPower column.

index="datacenter-stats" | transaction maxspan=350s | addtotals fieldname=TotalPower Watts | table *

Interestingly If I change the maxspan value to something like 10s which combines the source events into some events with a few lines each, the events with one value in the Watts column are displaying the correct TotalPower. This isn't all that useful because it only gets me the one power controller total which I already have.

index="datacenter-stats" | transaction maxspan=10s | addtotals fieldname=TotalPower Watts | table *

Screen Shot

In summary, How do I sum the value of fields in one event into a new field within that same event or another event, such that I eventually can then graph that fields change over time.

0 Karma
1 Solution

acdevlin
Communicator

If I understand your question properly, I think you'll want to use the stats function sum(). Give this query a try:

| transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | table *

Does this get the results you're after?

View solution in original post

0 Karma

acdevlin
Communicator

If I understand your question properly, I think you'll want to use the stats function sum(). Give this query a try:

| transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | table *

Does this get the results you're after?

0 Karma

zachvida
Path Finder

Yes, thank you!

index="datacenter-stats" | transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | eventstats sum(Amps) as "TotalCurrent" by _time | table *

What I used in the end.

Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...