Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- sum specific field value
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ips_mandar
Builder
08-02-2019
04:17 AM
I have below events-
value=1
value=3
value=5
value=0
value=4
value=5
value=6
value=0
value=1
Here I want to pick last value before value=0 and at end value if there is no zero value at end like in above case I want value=5 and value=6 and value=1
and add these value to get result as value=12
Kindly guide me to achieve this.
In script it can be done by storing variable and at end adding all. How this can be done in splunk.
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bangalorep
Communicator
08-02-2019
05:30 AM
You can try this,
| makeresults
| eval value="1,3,5,0,4,5,6,0,1"
| makemv delim="," value
| mvexpand value
| fields - _time
| streamstats current=f window=1 last(value) as break
| append
[| makeresults
| eval value="1,3,5,0,4,5,6,0,1"
| makemv delim="," value
| mvexpand value
| fields - _time
| stats last(value) as final]
| fillnull value=0
| search value=0
| eval sum=break+final
| stats sum(sum) as sum
In your case, it will be
`your query`
| streamstats current=f window=1 last(value) as break
| append
[| `your query`
| stats last(value) as final]
| fillnull value=0
| search value=0
| eval sum=break+final
| stats sum(sum) as sum
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bangalorep
Communicator
08-02-2019
05:30 AM
You can try this,
| makeresults
| eval value="1,3,5,0,4,5,6,0,1"
| makemv delim="," value
| mvexpand value
| fields - _time
| streamstats current=f window=1 last(value) as break
| append
[| makeresults
| eval value="1,3,5,0,4,5,6,0,1"
| makemv delim="," value
| mvexpand value
| fields - _time
| stats last(value) as final]
| fillnull value=0
| search value=0
| eval sum=break+final
| stats sum(sum) as sum
In your case, it will be
`your query`
| streamstats current=f window=1 last(value) as break
| append
[| `your query`
| stats last(value) as final]
| fillnull value=0
| search value=0
| eval sum=break+final
| stats sum(sum) as sum
Get Updates on the Splunk Community!
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?
Community Office Hours is an interactive 60-minute Zoom series where ...
Index This | When is October more than just the tenth month?
October 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
