stats/chart Only Summing Cells with Multiple Value...

Rushingjs · ‎06-12-2014

If I have fields that have the potential to contain any number of values, from null to many, how can I get the sum function to work on all cases using stats or chart?

For example:

CaseID Process X Time Process Y time Process Z time
1 .24
1 .65
1.54
1 .45
1 .66
1.5
2 .56
2 .23
.99
1.87
2 1.2
2 2.5

When i use "... | stats sum(process_x), sum(process_y), sum(process z) by caseID

it only sums the cells that have multiple values, not the cells that only contain a single value. Any misconception or misconstruction I'm running into here?

Thanks!

lguinn2 · ‎06-12-2014

First, your chart is a bit unclear to me - it doesn't look like you have any Process Z values.

In addition, it looks like all events only have one value per field or else they are empty.

Does Splunk even think that these fields are numeric? If you simply run a search, do the fields appear in the fields sidebar at the left - or in the the list if you choose all fields?

I would do some exploration of your field values. There is nothing wrong with your stats command - except for the fact that you wrote process z instead of process_z.

stats/chart Only Summing Cells with Multiple Values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation