stats/chart Only Summing Cells with Multiple Value...

Rushingjs · ‎06-12-2014

If I have fields that have the potential to contain any number of values, from null to many, how can I get the sum function to work on all cases using stats or chart?

For example:

CaseID Process X Time Process Y time Process Z time
1 .24
1 .65
1.54
1 .45
1 .66
1.5
2 .56
2 .23
.99
1.87
2 1.2
2 2.5

When i use "... | stats sum(process_x), sum(process_y), sum(process z) by caseID

it only sums the cells that have multiple values, not the cells that only contain a single value. Any misconception or misconstruction I'm running into here?

Thanks!

lguinn2 · ‎06-12-2014

First, your chart is a bit unclear to me - it doesn't look like you have any Process Z values.

In addition, it looks like all events only have one value per field or else they are empty.

Does Splunk even think that these fields are numeric? If you simply run a search, do the fields appear in the fields sidebar at the left - or in the the list if you choose all fields?

I would do some exploration of your field values. There is nothing wrong with your stats command - except for the fact that you wrote process z instead of process_z.

stats/chart Only Summing Cells with Multiple Values

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

stats/chart Only Summing Cells with Multiple Values

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor