Hi,
in one single event, the field amount appears multiple times. What I need is a new field that includes the total_amount for each event, to calculate stats with it afterwards.
For instance, we have the field amount in an event three times:
amount=5
amount=10
amount=5
Is it possible to add a field thats sums up the total_amount=20 in this event?
addtotals
command should help.
Please see the documentation for the command
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Addtotals
Try this
|eventstats sum(<yourfield>) as Sum
Sadly not. I think I will try to convert the field into a numeric type somehow and then use addtotals.
Thanks for your input!
I am really sorry, I thought you had it as a field already. Anyways to do that you might want to do a rex to extract the fields in an event first.
eventstats needs numerical values as well. and next to that I it would calculate the sum for all events. And I don't a useful field to group by the eventstats 😕
Updated the answer. Please try eventstats
Hi,
thanks for this hint. I tried it out, but I get an empty result.
The field i want to use is definded as a string in the fieldlist. Can this be the reason? On the other hand the same field works with | stats sum() commands