Solved: sum values if<

HeinzWaescher · ‎11-05-2013

Hi,

I'm calculating a duration for each event in the dataset and would like to calculate the sum for all durations < 43200000

stats sum(eval(if(Duration_ms<43200000, Duration_ms,0))) AS total_duration

I made some tests and it the results seem to fit approximately, but I don't feel conifdent whether this is the correct approach. Am I doing it right? Do i need some quotes somewhere in the if-command?

Is it also possible to have " > AND < " condition here? So to sum all durations >0 AND <43200000.

Thanks

Heinz

kristian_kolb · ‎11-05-2013

that works fine

stats sum(eval(if((Duration_ms > 0 AND Duration_ms<43200000), Duration_ms,0))) AS Total_Duration

or to make it more readable, if it fits your use case, you can make the conditions part of the search terms;

sourcetype = blah Duration_ms > 0 Duration_ms < 43200000 | stats sum(Duration_ms) as Total_Duration

/K

View solution in original post

kristian_kolb · ‎11-05-2013

that works fine

stats sum(eval(if((Duration_ms > 0 AND Duration_ms<43200000), Duration_ms,0))) AS Total_Duration

or to make it more readable, if it fits your use case, you can make the conditions part of the search terms;

sourcetype = blah Duration_ms > 0 Duration_ms < 43200000 | stats sum(Duration_ms) as Total_Duration

/K

HeinzWaescher · ‎11-05-2013

Hi Kristian,

the second option doesn't fit, because i need these filtered events for other stats in this search.

Thanks a lot for confirming and adding the AND function!

sum values if<

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor