How to compute the Total line from the above two log lines? Confused which Aggregate function I need use as the sum-aggregation span across log statements, not with-in single log statement. Any Help is appreciated.
If you get the values extracted in fields this should be very easy to accomplish using the
stats command. For instance, to get the total of fields called
... | stats sum(1min),sum(5min),sum(60min),sum(24min)
... | stats sum(*min)
Trying to add field extract to solve the above problem.
In Add new field extraction screen entered below regex. Is this OK?
After adding the above I have used the below which didn't give me any results.
index=main sourcetype="splunk-too_small" | stats sum(1min_val)
Please help on this.
field argument for
rex refers to what field it should read FROM (default is
_raw), not what field it should write. You need to read up on the syntax.
As for the stats command, I'm not sure what you want to achieve when splitting by
_time. If you want to create a timechart, have a look at the
timechart command instead.
Does something like below work? - Without Field extractions?
Can we use extract(1min) or rex as below?
ProcessService | rex field=1min (?
sum(oneval),sum(fiveval),sum(sixtyval),sum(tfval) by _time
Hi Ayn, Thanks for the response.
Not yet extracted into fields.
Currently I am writing a program which log these statements.
* I am trying to find out the best log format for Splunk to do this aggregation.
* Once written the best stat-aggregate function to get the Total line.