Splunk Search

getting sum of a multivalues field for ach event

vijaya5
Loves-to-Learn

Hi,

I have a query like below.

index=linux sourcetype=iostat mount="*"
which will list total_ops for each mount of a host in multiple events.

i need to get sum of total_ops of each host of all mounts from latest event.

Please help

0 Karma
1 Solution

codebuilder
Motivator

Try this:

index=linux sourcetype=iostat mount="*" | mvexpand total_ops

That will break the multivalue field into separate events. Then you can add your stats, etc.
Worth noting, you can only use mvexpand on a single field.

View solution in original post

0 Karma

to4kawa
SplunkTrust
SplunkTrust
index=linux sourcetype=iostat mount="*"
| streamstats window=1 sum(total_ops) as total_ops
| stats sum(total_ops) as total_ops by mount host
0 Karma

codebuilder
Motivator

Try this:

index=linux sourcetype=iostat mount="*" | mvexpand total_ops

That will break the multivalue field into separate events. Then you can add your stats, etc.
Worth noting, you can only use mvexpand on a single field.

View solution in original post

0 Karma