Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

stats/chart Only Summing Cells with Multiple Values

Rushingjs
New Member
โ€Ž06-12-2014 08:26 AM

If I have fields that have the potential to contain any number of values, from null to many, how can I get the sum function to work on all cases using stats or chart?

For example:

CaseID Process X Time Process Y time Process Z time
1 .24
1 .65
1.54
1 .45
1 .66
1.5
2 .56
2 .23
.99
1.87
2 1.2
2 2.5

When i use "... | stats sum(processx), sum(processy), sum(process z) by caseID

it only sums the cells that have multiple values, not the cells that only contain a single value. Any misconception or misconstruction I'm running into here?

Thanks!

0 Karma
Reply

lguinn2
Legend
โ€Ž06-12-2014 11:10 AM

First, your chart is a bit unclear to me - it doesn't look like you have any Process Z values.

In addition, it looks like all events only have one value per field or else they are empty.

Does Splunk even think that these fields are numeric? If you simply run a search, do the fields appear in the fields sidebar at the left - or in the the list if you choose all fields?

I would do some exploration of your field values. There is nothing wrong with your stats command - except for the fact that you wrote process z instead of process_z.

0 Karma
Reply