Splunk Search

addtotal/addcoltotals issue

zachvida
Path Finder

Hello fellow Splunkers!

ipc=ipc1-r6c10 Intake-Temperature=70 Exhaust-Temperature=82 Humidity=44% Amps=6 Voltage=351 Watts=2106

ipc=ipc1-r6c11 Intake-Temperature=64 Exhaust-Temperature=81 Humidity=55% Amps=14 Voltage=349 Watts=4886

ipc=ipc1-r6c4 Not responding

Given the preceding with many more ipc(power controllers) each as it own event, how do I generate the total Wattage across all IPC's for a given polling period? The script that generates these events runs every 10 minutes.

So far I have figured out how to group the events for a given polling period as one event with transactions:

index="datacenter-stats" | transaction maxspan=350s

Now I want to sum Watts for each event in its own column; However, when I try to add up the Watts totals the resulting table always has nothing in the TotalPower column.

index="datacenter-stats" | transaction maxspan=350s | addtotals fieldname=TotalPower Watts | table *

Interestingly If I change the maxspan value to something like 10s which combines the source events into some events with a few lines each, the events with one value in the Watts column are displaying the correct TotalPower. This isn't all that useful because it only gets me the one power controller total which I already have.

index="datacenter-stats" | transaction maxspan=10s | addtotals fieldname=TotalPower Watts | table *

Screen Shot

In summary, How do I sum the value of fields in one event into a new field within that same event or another event, such that I eventually can then graph that fields change over time.

0 Karma
1 Solution

acdevlin
Communicator

If I understand your question properly, I think you'll want to use the stats function sum(). Give this query a try:

| transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | table *

Does this get the results you're after?

View solution in original post

0 Karma

acdevlin
Communicator

If I understand your question properly, I think you'll want to use the stats function sum(). Give this query a try:

| transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | table *

Does this get the results you're after?

0 Karma

zachvida
Path Finder

Yes, thank you!

index="datacenter-stats" | transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | eventstats sum(Amps) as "TotalCurrent" by _time | table *

What I used in the end.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...