Splunk Search

sum multiple fields based on the field only

moayadalghamdi
Path Finder

Hello Splunkers

 

in my firewall logs, i have three numerical fields, (out_packet, in_packet, bytes)

 

i want to sum these values each field individually but a i want the answer in one record

for example:

index=firewall
| timechart sum (bytes) as bytes , sum (in_packet) as in_packet, sum (out_packet) as out_packet

 

unfortunately it didn't work, please help me with it

 

Thanks ^_^

Labels (4)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=firewall
| stats sum (bytes) as bytes , sum (in_packet) as in_packet, sum (out_packet) as out_packet

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
index=firewall
| stats sum (bytes) as bytes , sum (in_packet) as in_packet, sum (out_packet) as out_packet

View solution in original post

moayadalghamdi
Path Finder

Thanks for the prompt response ^_^

 

but i need it in time chart for visualization, help me with it plz

 

Thanks ^_ ^

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Stats will give you one record as you said. Timechart will give you lots of records (assuming the time span is wide enough). How are the results you originally had not what you wanted?

0 Karma

moayadalghamdi
Path Finder

Sorry, i just noticed that my post was confusing

what i want is to show the the trends of these three fields in a "line chart" visualization

 

i want the trend by any value of my choosing

for example i want like this, but with multiple fields based on the search

moayadalghamdi_2-1624177893382.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It is still not clear why timechart is not working for you

0 Karma

moayadalghamdi
Path Finder

wait, the problem if from my side, my log sources have missing data.

 

sorry for that, BTW you helped my a lot in many posts, thanks whisperer ^_^

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!