sum of 2 possible fields

lanilim16 · ‎07-31-2015

The search result looks like this
<date>, COUNT_SENT=20, SUM_AMOUNT=50000
<date>, COUNT_RECEIVED=30, SUM_AMOUNT=10000

I need to get the total for both (COUNT_SENT + COUNT_RECEIVED) by hour, but this doesn't since they're in different events

This doesn't work

<search string> | eval total = COUNT_SENT + COUNT_RECEIVED | stats sum(total) by hour

rename doesn't work too.

I manage to only sum either the COUNT_SENT or COUNT_RECEIVED separately but not combined, I need the combined though.

bmacias84 · ‎07-31-2015

This should work

.... | bucket _time span=1h | stats sum(COUNT_SENT) as tcs sum(COUNT_RECEIVED) as tcr by _time | eval total=tcs+tcr

jnussbaum_splun · ‎07-31-2015

try - | bucket _time span=1h | stats sum(eval(COUNT_SENT+COUNT_RECEIVED)) AS test by _time

woodcock · ‎07-31-2015

Like this:

... | stats sum(COUNT_SENT) AS COUNT_SENT sum(COUNT_RECEIVED) AS COUNT_RECEIVED BY hour | eval total = COUNT_SENT + COUNT_RECEIVED

Are you a member of the Splunk Community?