Hi,
Can someone please help me with this query? I am trying to multiply the fields Batch_Size and count and return the results in the tc field. I tried the above syntax but it did not work.
The first three lines of this query work fine by itself. After adding the lines 4,5, it does not return anything.
"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))"
|stats count by Batch_Size
| eval tc = Batch_Size*count
| stats sum(tc) as tc
Multiplying "count" by a whole number returns expected result with three columns. When i replace 10 with Batch_Size, it gives only two columns : Batch_Size, count.
Not sure why Batch_Size is not working in the multiplication operation.
"\(TOTAL_REC\)::"
|rex field=_raw "(\(TOTAL_REC\)::)(?P<Batch_Size>\s(\d))"
| convert num(Batch_Size)
| stats count BY Batch_Size
| eval tc = (10 * count)
Splunk Enterprise Version: 7.2.6
Any help will be appreciated. Thanks, Ro
... View more
