Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I sum columns in a multiline event

cdo_splunk
Splunk Employee
Splunk Employee
‎06-02-2015 03:31 PM

We have a script that gets the output of the command below and output it as a single event with multiline

ps -wweo uname,pid,psr,pcpu,cputime,pmem,rsz,vsz,tty,s,etime,args

I would like to write a search that filters through the lines to look for the the a certain string looks for a particular sting in a certain column, if exists sum the value of another column and return the string and the sum. E.g.

USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS
root 1848 0 0.0 00:00:00 0.0 2128 476368 ? S 18:19:03 automount --pid-file_/var/run/autofs.pid
apache 2082 0 0.1 00:00:37 0.4 17868 402748 ? S 06:26:57 httpd <noArgs>
apache 2083 0 0.1 00:00:36 0.4 17872 402748 ? S 06:26:56 httpd <noArgs>
apache 2084 0 0.1 00:00:37 0.4 17908 402932 ? S 06:26:56 httpd <noArgs>
apache 2383 0 0.1 00:00:36 0.4 17872 402748 ? S 06:25:53 httpd <noArgs>
root 4951 0 0.0 00:00:00 0.0 1300 79968 ? S 18:17:40 sshd <noArgs>
root 5354 0 0.0 00:00:01 0.0 2696 91304 ? S 18:15:48 sendmail: accepting_connections
smmsp 5361 0 0.0 00:00:00 0.0 2108 82756 ? S 18:15:48 sendmail: Queue_runner@01:00:00_for_/var/spool/clientmqueue

The result of the search would be:

.4 httpd
Tags (3)
Reply

bshuler_splunk
Splunk Employee
Splunk Employee
‎06-02-2015 04:01 PM 
|localop| stats count | eval data="USER PID PSR pctCPU CPUTIME pctMEM RSZ_KB VSZ_KB TTY S ELAPSED COMMAND ARGS
root 1848 0 0.0 00:00:00 0.0 2128 476368 ? S 18:19:03 automount --pid-file_/var/run/autofs.pid
apache 2082 0 0.1 00:00:37 0.4 17868 402748 ? S 06:26:57 httpd <noArgs>
apache 2083 0 0.1 00:00:36 0.4 17872 402748 ? S 06:26:56 httpd <noArgs>
apache 2084 0 0.1 00:00:37 0.4 17908 402932 ? S 06:26:56 httpd <noArgs>
apache 2383 0 0.1 00:00:36 0.4 17872 402748 ? S 06:25:53 httpd <noArgs>
root 4951 0 0.0 00:00:00 0.0 1300 79968 ? S 18:17:40 sshd <noArgs>
root 5354 0 0.0 00:00:01 0.0 2696 91304 ? S 18:15:48 sendmail: accepting_connections
smmsp 5361 0 0.0 00:00:00 0.0 2108 82756 ? S 18:15:48 sendmail: Queue_runner@01:00:00_for_/var/spool/clientmqueue" | rex max_match=9999 field=data "(?P<lines>[^\n]+)" | table lines | mvexpand lines | rex field=lines "^(?<USER>\S+)\s(?<PID>\S+)\s(?<PSR>\S+)\s(?<pctCPU>\S+)\s(?<CPUTIME>\S+)\s(?<pctMEM>\S+)\s(?<RSZ_KB>\S+)\s(?<VSZ_KB>\S+)\s(?<TTY>\S+)\s(?<S>\S+)\s(?<ELAPSED>\S+)\s(?<COMMAND>\S+)\s(?<ARGS>.*)" | fields - lines | search USER!="USER"
Reply

woodcock
Esteemed Legend
‎06-02-2015 03:49 PM

Please re-edit your question; it has obvious cut/paste errors and is incomplete/incomprehensible. For example, you do not list either field name for your example.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...