Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

sum fields in same event

jrizzobwa
New Member
‎06-26-2010 03:36 AM

I need to sum fields by other fields in the same event.

Here is an example event:

_time                                somefieldname   somefieldvalue
6/26/10 3:09:23.000 AM               A               1
                                     A               1
                                     B               2
                                     B               2

How could I sum the values in somefieldvalue by somefieldname, then graph the sum. IE '| timechart span=1m avg(somefieldvalue) by somefield.'

For this event on the timechart A would equal to 2 and B would equal to 4.

I'm at a loss. Any help is appreciated.

Thanks, Joe

Tags (1)
0 Karma
Reply

Jordan_Brough
Path Finder
‎06-29-2012 08:12 AM

Here's a custom search command I wrote that provides an "mvsum" operator: http://jordan.broughs.net/archives/2012/06/mvsum-for-splunk-summing-multi-valued-fields-within-a-sin...

0 Karma
Reply

jrizzobwa
New Member
‎06-30-2010 09:56 PM

I ended up splitting the event into multiple events using split. Then I could use stats and timechart as expected.

Thanks, Joe

0 Karma
Reply

Lowell
Super Champion
‎06-28-2010 05:22 PM

You might be able to use multikv depending on how your actual raw text is structured. If you are dealing with a text table like format (like shown in your example), then this should work:

... | multikv fields somefieldname somefieldvalue | timechart sum(somefieldvalue) by somefieldname

However, if somefieldname and somefieldvalue are two independent multi-value fields, then we are looking at the scenario that Nick was referring to. Although, I'm not sure I follow what he is suggesting that you do. I'm not sure this case can be solved without using a custom search script.

Reply

sideview
SplunkTrust
SplunkTrust
‎06-26-2010 06:19 AM

seems like a strange way to have the data extracted, if I follow it correctly.

If your data was instead extracted where A and B were the actual field names, and they had multivalued values of [1,1] and [2,2] respectively, instead of the 'somefieldname' and 'somefieldvalue' fields, it would be a bit easier. In such a case you could get to your end result with: 

<your search> | stats sum(A) sum(B) by _time, _serial

Apart from that, i think what you need is to use one of the multivalue operators to break out your events into individual single value events and then do a stats by _time _serial as in the above.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...