Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

stats/chart Only Summing Cells with Multiple Values

Rushingjs
New Member
‎06-12-2014 08:26 AM

If I have fields that have the potential to contain any number of values, from null to many, how can I get the sum function to work on all cases using stats or chart?

For example:

CaseID Process X Time Process Y time Process Z time
1 .24
1 .65
1.54
1 .45
1 .66
1.5
2 .56
2 .23
.99
1.87
2 1.2
2 2.5

When i use "... | stats sum(process_x), sum(process_y), sum(process z) by caseID

it only sums the cells that have multiple values, not the cells that only contain a single value. Any misconception or misconstruction I'm running into here?

Thanks!

0 Karma
Reply

lguinn2
Legend
‎06-12-2014 11:10 AM

First, your chart is a bit unclear to me - it doesn't look like you have any Process Z values.

In addition, it looks like all events only have one value per field or else they are empty.

Does Splunk even think that these fields are numeric? If you simply run a search, do the fields appear in the fields sidebar at the left - or in the the list if you choose all fields?

I would do some exploration of your field values. There is nothing wrong with your stats command - except for the fact that you wrote process z instead of process_z.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...