Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sum of a field depending on values of other field

surekhasplunk
Communicator
‎11-07-2017 04:37 AM

Hi,

I have few fields in my csv file like below. Name of csv file example.csv
A B C D
1 Harry 100 Tel
Tom Harry 200 Ban
1 Harry 300 Oper

Requirement : I want to search in inputlookup example.csv to get
If column A=1 and Column B=Harry then give me sum(Column C) i.e. 400 and give it name as "Perm"
also to the same query add one more criteria like
If Column A=Tom and Column B=Harry then sum(Column C) shold be the output and named as "Cont" and group them by Column D at the end.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 04:45 AM

Hi surekhasplunk,
try something like this:

your_search 
| eval Perm=if(A=1 AND B="Harry",C,0), Cont=if(A="Tom" AND B="Harry",C,0)
| stats sum(Perm) AS Perm sum(Cont) As Cont BY D

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 04:45 AM

Hi surekhasplunk,
try something like this:

your_search 
| eval Perm=if(A=1 AND B="Harry",C,0), Cont=if(A="Tom" AND B="Harry",C,0)
| stats sum(Perm) AS Perm sum(Cont) As Cont BY D

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎11-07-2017 05:21 AM

Hi,

Thanks for the answer but unfortunately am getting 0 for Perm and Cont fields. My field names have spaces in it so am double quoting them but still am getting 0s . Not sure why

Thanks

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎11-07-2017 05:11 AM

Thanks,

I tried it unfortunately am getting the results populated with values 0 for Perm and Cont columns

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2017 05:19 AM

Hi surekhasplunk,
your requirement was to have two distinct columns, if you want, you can put them in the same column using coalesce:

your_search 
| eval Perm=if(A=1 AND B="Harry",C,0), Cont=if(A="Tom" AND B="Harry",C,0)
| stats sum(Perm) AS Perm sum(Cont) As Cont BY D
| eval column=coalesce(Perm,Cont)
| table D column

You could also display kind of sum (Perm or Cont) in the same column:

your_search 
| eval Perm=if(A=1 AND B="Harry",C,0), Cont=if(A="Tom" AND B="Harry",C,0)
| stats sum(Perm) AS Perm sum(Cont) As Cont BY D
| eval Perm="Perm="+Perm, Cont="Cont="+Cont, column=coalesce(Perm,Cont)
| table D column

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎11-07-2017 07:35 AM

Thanks,

It worked I found for the column names where we have got space we have to single quote them and values where we have space we have to double quote them .

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...