Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

summing values from stats

dbcase
Motivator
‎12-06-2017 12:28 PM

Hi,

I have a query that produces a stats table that looks like this

    company          count
    testco                100
    testcoa              200
    testcob              100
    testcoc              500
    nottestco          50
    otherco             150
    someco             300

I need to sum up the counts for each company. In this example testco, testcoa, testcob and testcoc are all the same company just different divisions. I need to return a value of 900 for testco, 50 for nottestco, 150 for otherco and 300 for someco.

Seems easy but my brain isn't working today......

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dbcase
Motivator
‎12-06-2017 12:57 PM

well I found a way to make it work, not sure if it is the best way though

index=mso_statistics sourcetype=ic_connectivity_5min-too_small  stat_name=subscribers |rex "\d+\s(?<mso>\w+)"|stats max(stat_val) as Subscribers by mso|where like(mso,"%testco%") |stats sum(Subscribers) as count

In the query testco is actually a token value, I substituted it just to illustrate

View solution in original post

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎12-06-2017 01:56 PM

If you literally have the table in the original post and just need the output you specified, I'd use this:

[ your search] 
| eval company=if(like(company, "testco%"), "testco", company) 
| stats sum(count) AS count BY company
0 Karma
Reply
Solved! Jump to solution

Lamar
Splunk Employee
Splunk Employee
‎12-06-2017 01:17 PM

You may want to use a lookup to federate this information and then search on that field.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources

You may already have this information in the form of a DB or CMDB.

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎12-06-2017 01:37 PM

Hi Lamar,

I'm not sure I understand what you are trying to say....

0 Karma
Reply
Solved! Jump to solution

Lamar
Splunk Employee
Splunk Employee
‎12-06-2017 01:54 PM

What using a lookup provides is the efficiency of updating one source of information rather than have an incredibly monolithic macro (or god forbid, searches) that include the logic for handling all of the different companies in your data. You could even go so far as include other types of information about said company in the lookup that could return things like address, type of company, contact information...etc.

0 Karma
Reply
Solved! Jump to solution

Lamar
Splunk Employee
Splunk Employee
‎12-06-2017 01:50 PM

With a lookup, what you can do is something similar to this:

lookup_file.csv

mso|company
testco|Company1
testcoa|Company1
testcob|Company1
testcoc|Company1
otherco|Company2
someotherco|Company3

search

index=mso_statistics sourcetype=ic_connectivity_5min-too_small  stat_name=subscribers | lookup lookup_file mso OUTPUT company | eventstats count by company | stats sum(count) as totals by company

EDIT: a letter

0 Karma
Reply
Solved! Jump to solution
Solution

dbcase
Motivator
‎12-06-2017 12:57 PM

well I found a way to make it work, not sure if it is the best way though

index=mso_statistics sourcetype=ic_connectivity_5min-too_small  stat_name=subscribers |rex "\d+\s(?<mso>\w+)"|stats max(stat_val) as Subscribers by mso|where like(mso,"%testco%") |stats sum(Subscribers) as count

In the query testco is actually a token value, I substituted it just to illustrate

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...