Calculating the sum for unique ID within each tran...

104K · ‎11-21-2013

Hello Splunkers,

I have two different sourcetypes that can be grouped by a unique id where one sourcetype has some numerical value and another ends with transaction "END" such as below:

sourcetype1

unique_ID, field_A

a, 10

b, 20

c, 5

a, 20

c, 30

sourcetype2

unique_ID, field_B

a, END

b, END

c, END

I would like to calculate the sum of field_A between "END" status for unique_ID.

What I have done so far is:

sourcetype=sourcetype1 OR sourcetype=sourcetype2 | transaction unique_ID startswith="END"

Any help is welcomed.

Thanks in advance.

104K

alacercogitatus · ‎11-21-2013

Without a more narrow parameter on time, I can only generalize the search. Which event happens first? The END or the values? Do you need it over a range?

This one only takes the timerange of the entire search.

sourcetype=sourcetype1 OR sourcetype=sourcetype2 | stats sum(field_B) by unique_id

This one limits each transaction to 15 minute spans, assigns a "complete transaction id" (via streamstats) and then shows the sum per transaction.

sourcetype=sourcetype1 OR sourcetype=sourcetype2 | transaction unique_ID maxspan=15m | streamstats count AS event_id| stats sum(field_B) by unique_id event_id

alacercogitatus · ‎12-11-2013

If this has helped you, please mark it accepted!

Calculating the sum for unique ID within each transaction

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!