Solved: How to add the values of a multi-value field with ...

jrodriguezap · ‎08-22-2014

Hello!!!
I was looking for ways to add the values of a multi-value field (c_user) with the value of count, which generates me the following result:

count | user | c_user | sum_usr
  5    jean     5       10
       peter    7       12
       yvan     9       14

But I tried: | eval sum_usr=count+c_user
And I did not get it, is there any way to add these values?

somesoni2 · ‎08-22-2014

May be try like this

your search returing count, user, c_user | mvexpand c_user | eval sum_usr=c_user+count | stats values(c_user) as c_user values(sum_usr) as sum_usr by count user

View solution in original post

somesoni2 · ‎08-22-2014

May be try like this

your search returing count, user, c_user | mvexpand c_user | eval sum_usr=c_user+count | stats values(c_user) as c_user values(sum_usr) as sum_usr by count user

jrodriguezap · ‎08-22-2014

Hi thanks Somesoni
Look I mention, the example I gave I tried to be as practical as possible, but better to avoid confusion, I'll show you what I'm really trying to get:

The queue_time multivalued field is subtracted from (time_deliver - time_start)
I ran what you mention me, but I think the mvexpand is spreading the values of multi-value field

jrodriguezap · ‎08-22-2014

Thanks for your answer Somesoni2
But I see what they do in that case is to get the sum of the values in the multivalued field, what I wanted is to add each of the field values "c_user" plus the value of the field "count", and as a result give "sum_usr"

somesoni2 · ‎08-22-2014

Here you go

http://answers.splunk.com/answers/4595/adding-up-numerical-values-within-a-multi-value-field

How to add the values of a multi-value field with a count value?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!