Splunk Search

stats sum command dosen't works

adecroix
New Member

Hi guys,

I already used the "stats sum" command several time but I just noticed that for one particular index, the command return no results even if I have several events available and the field where the command is applied is present.

Below my command and the result

alt text

For an other index, the same commands works fine:

alt text

0 Karma

cmerriman
Super Champion

If you do |fillnull linecount value=0|stats sum(linecount) does it work? I’ve noticed that if a column has null values it won’t sum.

0 Karma

adecroix
New Member

Same: no results

0 Karma

cmerriman
Super Champion

when you do index=ib_dhcp_summary|table linecount|addcoltotals , does the total show up?

what about index=ib_dhcp_summary|where isnull(linecount)|table * , do you get results?

0 Karma

adecroix
New Member

Below the result for index=ib_dhcp_summary|table linecount|addcoltotals

linecount
1
1
1
1
1
1
1
... And so on

No results for index=ib_dhcp_summary|where isnull(linecount)|table *

0 Karma

cmerriman
Super Champion

you got a Total column using addcoltotals? if you sorted it, there was a value that was not 1?

0 Karma

adecroix
New Member

you got a Total column using addcoltotals?

No

if you sorted it, there was a value that was not 1?

No, all values are set with 1

0 Karma

cmerriman
Super Champion

then i'm betting linecount is not a number. try

index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|stats sum(linecountnumber)

or

index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|table linecountnumber|addcoltotals|sort - linecountnumber

and see if either of those get you a sum.

0 Karma

adecroix
New Member
index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|stats sum(linecountnumber)

No result

 index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|table linecountnumber|addcoltotals|sort - linecountnumber

linecountnumber
3954
1
1
1
1
1
...And so on

0 Karma

cmerriman
Super Champion

well now that's interesting. The only other thing i would try is an index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|eval linecount=if(linecountnumber=1,linecountnumber,0)|stats sum(linecount)
it doesn't appear like you have blank rows, but possibly. if that doesn't work, i'd submit a bug ticket. addcoltotals seems to be working after making the column into a number.

0 Karma

adecroix
New Member
index=ib_dhcp_summary|eval linecountnumber=tonumber(linecount)|eval linecount=if(linecountnumber=1,linecountnumber,0)|stats sum(linecount)

No result

0 Karma

adecroix
New Member

Below the result of index=ib_dhcp_summary |table * command (we can see the linecount field)

alt text

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Is the field linecount a numeric field in your summary index?

0 Karma

pradeepkumarg
Influencer

It's most likely because the linecount field is not available in your summary index.

0 Karma

cmerriman
Super Champion

is the ib_dhcp_summary index a summary index created using any sort of transforming command already? when you do index=ib_dhcp_summary |table * what fields do you get?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...