Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

sum fields in same event

jrizzobwa
New Member
‎06-26-2010 03:36 AM

I need to sum fields by other fields in the same event.

Here is an example event:

_time                                somefieldname   somefieldvalue
6/26/10 3:09:23.000 AM               A               1
                                     A               1
                                     B               2
                                     B               2

How could I sum the values in somefieldvalue by somefieldname, then graph the sum. IE '| timechart span=1m avg(somefieldvalue) by somefield.'

For this event on the timechart A would equal to 2 and B would equal to 4.

I'm at a loss. Any help is appreciated.

Thanks, Joe

Tags (1)
0 Karma
Reply

Jordan_Brough
Path Finder
‎06-29-2012 08:12 AM

Here's a custom search command I wrote that provides an "mvsum" operator: http://jordan.broughs.net/archives/2012/06/mvsum-for-splunk-summing-multi-valued-fields-within-a-sin...

0 Karma
Reply

jrizzobwa
New Member
‎06-30-2010 09:56 PM

I ended up splitting the event into multiple events using split. Then I could use stats and timechart as expected.

Thanks, Joe

0 Karma
Reply

Lowell
Super Champion
‎06-28-2010 05:22 PM

You might be able to use multikv depending on how your actual raw text is structured. If you are dealing with a text table like format (like shown in your example), then this should work:

... | multikv fields somefieldname somefieldvalue | timechart sum(somefieldvalue) by somefieldname

However, if somefieldname and somefieldvalue are two independent multi-value fields, then we are looking at the scenario that Nick was referring to. Although, I'm not sure I follow what he is suggesting that you do. I'm not sure this case can be solved without using a custom search script.

Reply

sideview
SplunkTrust
SplunkTrust
‎06-26-2010 06:19 AM

seems like a strange way to have the data extracted, if I follow it correctly.

If your data was instead extracted where A and B were the actual field names, and they had multivalued values of [1,1] and [2,2] respectively, instead of the 'somefieldname' and 'somefieldvalue' fields, it would be a bit easier. In such a case you could get to your end result with: 

<your search> | stats sum(A) sum(B) by _time, _serial

Apart from that, i think what you need is to use one of the multivalue operators to break out your events into individual single value events and then do a stats by _time _serial as in the above.

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...