Splunk Search

How do I sum 2 field extractions if only one field extraction exists per log?

philallen1
Path Finder

Hi

So I've used Field Extractions to name 2 different fields in my logs: "dealtCurrency" and "dealtCurrencyDefault".

The dealtCurrencyDefault field will ALWAYS appear in my logs. However, the dealtCurrency field appears only in some logs. When the dealtCurrency appears, my regex ignores the dealtCurrencyDefault field altogether. So, my regex only ever gives me one field back - dealtCurrencyDefault (if there is no dealtCurrency), and dealtCurrency (if there is dealtCurrency).

I'm now trying to create a chart that displays the "currency" along the x axis and the "number of occurrences" along the y axis.

How can I write a search query that creates this chart?

I've tried things along the lines of:

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
   | chart sum(currency ) as suma by currency 

This gives me all the currencies, but it doesn't sum them to create the "number of occurrences" field (I just get empty field for the suma column).

Any ideas? Should I be using 'buckets'? Not really sure how to use them...

Thanks!

(Also not sure if the title is accurately describing this - so please feel free to suggest a more suitable one)

0 Karma
1 Solution

wpreston
Motivator

Have you tried using count instead of sum?

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
| chart count(currency) as CurrencyCount by currency

View solution in original post

wpreston
Motivator

Have you tried using count instead of sum?

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
| chart count(currency) as CurrencyCount by currency

wpreston
Motivator

Can you share the rest of your search?

0 Karma

philallen1
Path Finder

Hi wpreston. Thanks for the comment, however it doesn't seem to be working. It returns each currency in one column but the CurrencyCount is 0 for each currency. Any other ideas are welcome!

0 Karma

philallen1
Path Finder

Hey wpreston

Acutally, it has randomly decided to work! (No idea what made it work - Splunk seems to be quite temperamental). So this is my final query:

...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault) | chart count(currency) as CurrencyCount by currency

Thanks a lot for your help!

0 Karma

wpreston
Motivator

You're very welcome, glad it worked for you!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...