Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sum fields in same event

jrizzobwa
New Member
‎06-26-2010 03:36 AM

I need to sum fields by other fields in the same event.

Here is an example event:

_time                                somefieldname   somefieldvalue
6/26/10 3:09:23.000 AM               A               1
                                     A               1
                                     B               2
                                     B               2

How could I sum the values in somefieldvalue by somefieldname, then graph the sum. IE '| timechart span=1m avg(somefieldvalue) by somefield.'

For this event on the timechart A would equal to 2 and B would equal to 4.

I'm at a loss. Any help is appreciated.

Thanks, Joe

Tags (1)
0 Karma
Reply

Jordan_Brough
Path Finder
‎06-29-2012 08:12 AM

Here's a custom search command I wrote that provides an "mvsum" operator: http://jordan.broughs.net/archives/2012/06/mvsum-for-splunk-summing-multi-valued-fields-within-a-sin...

0 Karma
Reply

jrizzobwa
New Member
‎06-30-2010 09:56 PM

I ended up splitting the event into multiple events using split. Then I could use stats and timechart as expected.

Thanks, Joe

0 Karma
Reply

Lowell
Super Champion
‎06-28-2010 05:22 PM

You might be able to use multikv depending on how your actual raw text is structured. If you are dealing with a text table like format (like shown in your example), then this should work:

... | multikv fields somefieldname somefieldvalue | timechart sum(somefieldvalue) by somefieldname

However, if somefieldname and somefieldvalue are two independent multi-value fields, then we are looking at the scenario that Nick was referring to. Although, I'm not sure I follow what he is suggesting that you do. I'm not sure this case can be solved without using a custom search script.

Reply

sideview
SplunkTrust
SplunkTrust
‎06-26-2010 06:19 AM

seems like a strange way to have the data extracted, if I follow it correctly.

If your data was instead extracted where A and B were the actual field names, and they had multivalued values of [1,1] and [2,2] respectively, instead of the 'somefieldname' and 'somefieldvalue' fields, it would be a bit easier. In such a case you could get to your end result with: 

<your search> | stats sum(A) sum(B) by _time, _serial

Apart from that, i think what you need is to use one of the multivalue operators to break out your events into individual single value events and then do a stats by _time _serial as in the above.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...