I need to sum fields by other fields in the same event.
Here is an example event:
_time somefieldname somefieldvalue
6/26/10 3:09:23.000 AM A 1
A 1
B 2
B 2
How could I sum the values in somefieldvalue by somefieldname, then graph the sum. IE '| timechart span=1m avg(somefieldvalue) by somefield.'
For this event on the timechart A would equal to 2 and B would equal to 4.
I'm at a loss. Any help is appreciated.
Thanks, Joe
Here's a custom search command I wrote that provides an "mvsum" operator: http://jordan.broughs.net/archives/2012/06/mvsum-for-splunk-summing-multi-valued-fields-within-a-sin...
I ended up splitting the event into multiple events using split. Then I could use stats and timechart as expected.
Thanks, Joe
You might be able to use multikv depending on how your actual raw text is structured. If you are dealing with a text table like format (like shown in your example), then this should work:
... | multikv fields somefieldname somefieldvalue | timechart sum(somefieldvalue) by somefieldname
However, if somefieldname
and somefieldvalue
are two independent multi-value fields, then we are looking at the scenario that Nick was referring to. Although, I'm not sure I follow what he is suggesting that you do. I'm not sure this case can be solved without using a custom search script.
seems like a strange way to have the data extracted, if I follow it correctly.
If your data was instead extracted where A and B were the actual field names, and they had multivalued values of [1,1] and [2,2] respectively, instead of the 'somefieldname' and 'somefieldvalue' fields, it would be a bit easier. In such a case you could get to your end result with:
<your search> | stats sum(A) sum(B) by _time, _serial
Apart from that, i think what you need is to use one of the multivalue operators to break out your events into individual single value events and then do a stats by _time _serial as in the above.