Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

summing up rows by two column

ISP8055
Path Finder
‎10-02-2020 03:48 PM

Hi there, 

I have a table with 5 fields. 
E column is numeric value, C is sub category of A

I want to sum E by column C AND column A.

A B C D E
a     x       30

a     y       20

a     x       40

b    y        10

b    x        40


if I do stats(sum E) by A = it will give output of sum of first three rows of E.
if I do stats(sum E) by c = it will give output of rows by x and by e. 
I want to output be like a x 50  ( 50 is 30 + 20 in this case)

Hope, I conveyed what I'm going for.

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎10-02-2020 05:57 PM

I think what you want is ...

 

| stats sum(E) by A, C

 

And that should give you your answer.  (I think you miscalculated your example.  ax should be 30+40=70 and is the first and third lines, right?).

The output I get is

 

A	C	sum(E)
a	x	70
a	y	20
b	x	40
b	y	10

 

And the run-anywhere search you can test with yourself was:

 

| makeresults 
| eval testData = "a,x,30 a,y,20 a,x,40 b,y,10 b,x,40"
| makemv delim=" " testData
| mvexpand testData
| makemv delim="," testData
| eval A = mvindex(testData, 0), C = mvindex(testData,1), E = mvindex(testData, 2)
| stats sum(E) by A, C

 

Happy Splunking!

-Rich

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎10-02-2020 05:57 PM

I think what you want is ...

 

| stats sum(E) by A, C

 

And that should give you your answer.  (I think you miscalculated your example.  ax should be 30+40=70 and is the first and third lines, right?).

The output I get is

 

A	C	sum(E)
a	x	70
a	y	20
b	x	40
b	y	10

 

And the run-anywhere search you can test with yourself was:

 

| makeresults 
| eval testData = "a,x,30 a,y,20 a,x,40 b,y,10 b,x,40"
| makemv delim=" " testData
| mvexpand testData
| makemv delim="," testData
| eval A = mvindex(testData, 0), C = mvindex(testData,1), E = mvindex(testData, 2)
| stats sum(E) by A, C

 

Happy Splunking!

-Rich

Reply
Solved! Jump to solution

ISP8055
Path Finder
‎10-05-2020 03:05 PM

You are correct. it should be 70. Sorry, typo on my end.

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...