Splunk Search

addtotal/addcoltotals issue

zachvida
Path Finder

Hello fellow Splunkers!

ipc=ipc1-r6c10 Intake-Temperature=70 Exhaust-Temperature=82 Humidity=44% Amps=6 Voltage=351 Watts=2106

ipc=ipc1-r6c11 Intake-Temperature=64 Exhaust-Temperature=81 Humidity=55% Amps=14 Voltage=349 Watts=4886

ipc=ipc1-r6c4 Not responding

Given the preceding with many more ipc(power controllers) each as it own event, how do I generate the total Wattage across all IPC's for a given polling period? The script that generates these events runs every 10 minutes.

So far I have figured out how to group the events for a given polling period as one event with transactions:

index="datacenter-stats" | transaction maxspan=350s

Now I want to sum Watts for each event in its own column; However, when I try to add up the Watts totals the resulting table always has nothing in the TotalPower column.

index="datacenter-stats" | transaction maxspan=350s | addtotals fieldname=TotalPower Watts | table *

Interestingly If I change the maxspan value to something like 10s which combines the source events into some events with a few lines each, the events with one value in the Watts column are displaying the correct TotalPower. This isn't all that useful because it only gets me the one power controller total which I already have.

index="datacenter-stats" | transaction maxspan=10s | addtotals fieldname=TotalPower Watts | table *

Screen Shot

In summary, How do I sum the value of fields in one event into a new field within that same event or another event, such that I eventually can then graph that fields change over time.

0 Karma
1 Solution

acdevlin
Communicator

If I understand your question properly, I think you'll want to use the stats function sum(). Give this query a try:

| transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | table *

Does this get the results you're after?

View solution in original post

0 Karma

acdevlin
Communicator

If I understand your question properly, I think you'll want to use the stats function sum(). Give this query a try:

| transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | table *

Does this get the results you're after?

0 Karma

zachvida
Path Finder

Yes, thank you!

index="datacenter-stats" | transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | eventstats sum(Amps) as "TotalCurrent" by _time | table *

What I used in the end.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...