Splunk Search

addtotal/addcoltotals issue

Path Finder

Hello fellow Splunkers!

ipc=ipc1-r6c10 Intake-Temperature=70 Exhaust-Temperature=82 Humidity=44% Amps=6 Voltage=351 Watts=2106

ipc=ipc1-r6c11 Intake-Temperature=64 Exhaust-Temperature=81 Humidity=55% Amps=14 Voltage=349 Watts=4886

ipc=ipc1-r6c4 Not responding

Given the preceding with many more ipc(power controllers) each as it own event, how do I generate the total Wattage across all IPC's for a given polling period? The script that generates these events runs every 10 minutes.

So far I have figured out how to group the events for a given polling period as one event with transactions:

index="datacenter-stats" | transaction maxspan=350s

Now I want to sum Watts for each event in its own column; However, when I try to add up the Watts totals the resulting table always has nothing in the TotalPower column.

index="datacenter-stats" | transaction maxspan=350s | addtotals fieldname=TotalPower Watts | table *

Interestingly If I change the maxspan value to something like 10s which combines the source events into some events with a few lines each, the events with one value in the Watts column are displaying the correct TotalPower. This isn't all that useful because it only gets me the one power controller total which I already have.

index="datacenter-stats" | transaction maxspan=10s | addtotals fieldname=TotalPower Watts | table *

Screen Shot

In summary, How do I sum the value of fields in one event into a new field within that same event or another event, such that I eventually can then graph that fields change over time.

0 Karma
1 Solution

Communicator

If I understand your question properly, I think you'll want to use the stats function sum(). Give this query a try:

| transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | table *

Does this get the results you're after?

View solution in original post

0 Karma

Communicator

If I understand your question properly, I think you'll want to use the stats function sum(). Give this query a try:

| transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | table *

Does this get the results you're after?

View solution in original post

0 Karma

Path Finder

Yes, thank you!

index="datacenter-stats" | transaction maxspan=350s | eventstats sum(Watts) as "TotalPower Watts" by _time | eventstats sum(Amps) as "TotalCurrent" by _time | table *

What I used in the end.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!