Solved: getting sum of a multivalues field for ach event

vijaya5 · ‎02-14-2020

Hi,

I have a query like below.

index=linux sourcetype=iostat mount="*"
which will list total_ops for each mount of a host in multiple events.

i need to get sum of total_ops of each host of all mounts from latest event.

Please help

codebuilder · ‎02-14-2020

Try this:

index=linux sourcetype=iostat mount="*" | mvexpand total_ops

That will break the multivalue field into separate events. Then you can add your stats, etc.
Worth noting, you can only use mvexpand on a single field.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

to4kawa · ‎02-14-2020

index=linux sourcetype=iostat mount="*"
| streamstats window=1 sum(total_ops) as total_ops
| stats sum(total_ops) as total_ops by mount host

codebuilder · ‎02-14-2020

Try this:

index=linux sourcetype=iostat mount="*" | mvexpand total_ops

That will break the multivalue field into separate events. Then you can add your stats, etc.
Worth noting, you can only use mvexpand on a single field.

----
An upvote would be appreciated and Accept Solution if it helps!

getting sum of a multivalues field for ach event

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake