Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

stats sum command dosen't works

adecroix
New Member
‎10-11-2017 08:05 AM

Hi guys,

I already used the "stats sum" command several time but I just noticed that for one particular index, the command return no results even if I have several events available and the field where the command is applied is present.

Below my command and the result

alt text

For an other index, the same commands works fine:

alt text

Preview file
82 KB
Preview file
72 KB
0 Karma
Reply

cmerriman
Super Champion
‎10-11-2017 10:15 AM

If you do |fillnull linecount value=0|stats sum(linecount) does it work? I’ve noticed that if a column has null values it won’t sum.

0 Karma
Reply

adecroix
New Member
‎10-12-2017 05:17 AM

Same: no results

0 Karma
Reply

cmerriman
Super Champion
‎10-12-2017 05:22 AM

when you do index=ib_dhcp_summary|table linecount|addcoltotals , does the total show up?

what about index=ib_dhcp_summary|where isnull(linecount)|table * , do you get results?

0 Karma
Reply

adecroix
New Member
‎10-12-2017 05:35 AM

Below the result for index=ib_dhcp_summary|table linecount|addcoltotals

linecount
1
1
1
1
1
1
1
... And so on

No results for index=ib_dhcp_summary|where isnull(linecount)|table *

0 Karma
Reply

cmerriman
Super Champion
‎10-12-2017 05:49 AM

you got a Total column using addcoltotals? if you sorted it, there was a value that was not 1?

0 Karma
Reply

adecroix
New Member
‎10-12-2017 05:56 AM

you got a Total column using addcoltotals?

No

if you sorted it, there was a value that was not 1?

No, all values are set with 1

0 Karma
Reply

cmerriman
Super Champion
‎10-12-2017 06:00 AM

then i'm betting linecount is not a number. try

index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|stats sum(linecountnumber)

or

index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|table linecountnumber|addcoltotals|sort - linecountnumber

and see if either of those get you a sum.

0 Karma
Reply

adecroix
New Member
‎10-12-2017 06:09 AM 
index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|stats sum(linecountnumber)

No result

 index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|table linecountnumber|addcoltotals|sort - linecountnumber

linecountnumber
3954
1
1
1
1
1
...And so on

0 Karma
Reply

cmerriman
Super Champion
‎10-12-2017 06:22 AM

well now that's interesting. The only other thing i would try is an index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|eval linecount=if(linecountnumber=1,linecountnumber,0)|stats sum(linecount)
it doesn't appear like you have blank rows, but possibly. if that doesn't work, i'd submit a bug ticket. addcoltotals seems to be working after making the column into a number.

0 Karma
Reply

adecroix
New Member
‎10-12-2017 06:39 AM 
index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|eval linecount=if(linecountnumber=1,linecountnumber,0)|stats sum(linecount)

No result

0 Karma
Reply

adecroix
New Member
‎10-11-2017 08:22 AM

Below the result of index=ib_dhcp_summary |table * command (we can see the linecount field)

alt text

Preview file
46 KB
0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎10-11-2017 09:56 AM

Is the field linecount a numeric field in your summary index?

0 Karma
Reply

pradeepkumarg
Influencer
‎10-11-2017 08:11 AM

It's most likely because the linecount field is not available in your summary index.

0 Karma
Reply

cmerriman
Super Champion
‎10-11-2017 08:10 AM

is the ib_dhcp_summary index a summary index created using any sort of transforming command already? when you do index=ib_dhcp_summary |table * what fields do you get?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...