Solved: sum multiple fields based on the field only

moayadalghamdi · ‎06-20-2021

Hello Splunkers

in my firewall logs, i have three numerical fields, (out_packet, in_packet, bytes)

i want to sum these values each field individually but a i want the answer in one record

for example:

index=firewall
| timechart sum (bytes) as bytes , sum (in_packet) as in_packet, sum (out_packet) as out_packet

unfortunately it didn't work, please help me with it

Thanks ^_^

ITWhisperer · ‎06-20-2021

index=firewall
| stats sum (bytes) as bytes , sum (in_packet) as in_packet, sum (out_packet) as out_packet

View solution in original post

ITWhisperer · ‎06-20-2021

index=firewall
| stats sum (bytes) as bytes , sum (in_packet) as in_packet, sum (out_packet) as out_packet

moayadalghamdi · ‎06-20-2021

Thanks for the prompt response ^_^

but i need it in time chart for visualization, help me with it plz

Thanks ^_ ^

ITWhisperer · ‎06-20-2021

Stats will give you one record as you said. Timechart will give you lots of records (assuming the time span is wide enough). How are the results you originally had not what you wanted?

moayadalghamdi · ‎06-20-2021

Sorry, i just noticed that my post was confusing

what i want is to show the the trends of these three fields in a "line chart" visualization

i want the trend by any value of my choosing

for example i want like this, but with multiple fields based on the search

ITWhisperer · ‎06-20-2021

It is still not clear why timechart is not working for you

moayadalghamdi · ‎06-20-2021

wait, the problem if from my side, my log sources have missing data.

sorry for that, BTW you helped my a lot in many posts, thanks whisperer ^_^

sum multiple fields based on the field only

chart

count

stats

timechart

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!