Solved: How to sum two fields?

vince_iw · ‎07-20-2022

I am attempting to eval a new field, from two other fields:

| eval 4XXError=if(metric_name="4XXError", statistic_value, null()) 
| eval 5XXError=if(metric_name="5XXError", statistic_value, null()) 
| eval total_errors='4XXError'+'5XXError'

when I come to stat them out:

| stats last(4XXError), last(5XXError), last(total_errors) by api_name, http_method, url

the total_errors column is just blank:

where am i going wrong?

also why does 4XXError need to be single-quoted? is it because it starts with a number?

ITWhisperer · ‎07-20-2022

Try it like this

| eval 4XXError=if(metric_name="4XXError", statistic_value, null()) 
| eval 5XXError=if(metric_name="5XXError", statistic_value, null()) 
| stats last(4XXError) as 4XXError, last(5XXError) as 5XXError by api_name, http_method, url
| eval total_errors='4XXError'+'5XXError'

You search seems to imply that the 4XXError (stats) events are different events to the 5XXError, so you need to use stats by ... to gather them into single events so you can do the arithmetic

View solution in original post

vince_iw · ‎07-20-2022

excellent, thanks!

ITWhisperer · ‎07-20-2022

Try it like this

| eval 4XXError=if(metric_name="4XXError", statistic_value, null()) 
| eval 5XXError=if(metric_name="5XXError", statistic_value, null()) 
| stats last(4XXError) as 4XXError, last(5XXError) as 5XXError by api_name, http_method, url
| eval total_errors='4XXError'+'5XXError'

You search seems to imply that the 4XXError (stats) events are different events to the 5XXError, so you need to use stats by ... to gather them into single events so you can do the arithmetic

How to sum two fields?

eval

stats

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team