Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sum fields in same event

jrizzobwa
New Member
‎06-26-2010 03:36 AM

I need to sum fields by other fields in the same event.

Here is an example event:

_time                                somefieldname   somefieldvalue
6/26/10 3:09:23.000 AM               A               1
                                     A               1
                                     B               2
                                     B               2

How could I sum the values in somefieldvalue by somefieldname, then graph the sum. IE '| timechart span=1m avg(somefieldvalue) by somefield.'

For this event on the timechart A would equal to 2 and B would equal to 4.

I'm at a loss. Any help is appreciated.

Thanks, Joe

Tags (1)
0 Karma
Reply

Jordan_Brough
Path Finder
‎06-29-2012 08:12 AM

Here's a custom search command I wrote that provides an "mvsum" operator: http://jordan.broughs.net/archives/2012/06/mvsum-for-splunk-summing-multi-valued-fields-within-a-sin...

0 Karma
Reply

jrizzobwa
New Member
‎06-30-2010 09:56 PM

I ended up splitting the event into multiple events using split. Then I could use stats and timechart as expected.

Thanks, Joe

0 Karma
Reply

Lowell
Super Champion
‎06-28-2010 05:22 PM

You might be able to use multikv depending on how your actual raw text is structured. If you are dealing with a text table like format (like shown in your example), then this should work:

... | multikv fields somefieldname somefieldvalue | timechart sum(somefieldvalue) by somefieldname

However, if somefieldname and somefieldvalue are two independent multi-value fields, then we are looking at the scenario that Nick was referring to. Although, I'm not sure I follow what he is suggesting that you do. I'm not sure this case can be solved without using a custom search script.

Reply

sideview
SplunkTrust
SplunkTrust
‎06-26-2010 06:19 AM

seems like a strange way to have the data extracted, if I follow it correctly.

If your data was instead extracted where A and B were the actual field names, and they had multivalued values of [1,1] and [2,2] respectively, instead of the 'somefieldname' and 'somefieldvalue' fields, it would be a bit easier. In such a case you could get to your end result with: 

<your search> | stats sum(A) sum(B) by _time, _serial

Apart from that, i think what you need is to use one of the multivalue operators to break out your events into individual single value events and then do a stats by _time _serial as in the above.

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...