Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I sum 2 field extractions if only one field extraction exists per log?

philallen1
Path Finder
‎12-05-2014 02:36 AM

Hi

So I've used Field Extractions to name 2 different fields in my logs: "dealtCurrency" and "dealtCurrencyDefault".

The dealtCurrencyDefault field will ALWAYS appear in my logs. However, the dealtCurrency field appears only in some logs. When the dealtCurrency appears, my regex ignores the dealtCurrencyDefault field altogether. So, my regex only ever gives me one field back - dealtCurrencyDefault (if there is no dealtCurrency), and dealtCurrency (if there is dealtCurrency).

I'm now trying to create a chart that displays the "currency" along the x axis and the "number of occurrences" along the y axis.

How can I write a search query that creates this chart?

I've tried things along the lines of:

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
   | chart sum(currency ) as suma by currency

This gives me all the currencies, but it doesn't sum them to create the "number of occurrences" field (I just get empty field for the suma column).

Any ideas? Should I be using 'buckets'? Not really sure how to use them...

Thanks!

(Also not sure if the title is accurately describing this - so please feel free to suggest a more suitable one)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎12-05-2014 05:15 AM

Have you tried using count instead of sum?

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
| chart count(currency) as CurrencyCount by currency

View solution in original post

Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎12-05-2014 05:15 AM

Have you tried using count instead of sum?

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
| chart count(currency) as CurrencyCount by currency
Reply
Solved! Jump to solution

wpreston
Motivator
‎12-05-2014 05:32 AM

Can you share the rest of your search?

0 Karma
Reply
Solved! Jump to solution

philallen1
Path Finder
‎12-05-2014 05:26 AM

Hi wpreston. Thanks for the comment, however it doesn't seem to be working. It returns each currency in one column but the CurrencyCount is 0 for each currency. Any other ideas are welcome!

0 Karma
Reply
Solved! Jump to solution

philallen1
Path Finder
‎12-05-2014 05:36 AM

Hey wpreston

Acutally, it has randomly decided to work! (No idea what made it work - Splunk seems to be quite temperamental). So this is my final query:

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault) | chart count(currency) as CurrencyCount by currency

Thanks a lot for your help!

0 Karma
Reply
Solved! Jump to solution

wpreston
Motivator
‎12-05-2014 05:38 AM

You're very welcome, glad it worked for you!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...