Hi.
I have 4 events with field smsresult=
, and I have to sum the values of this field. I tried to use
stats sum(SMSRESULT)
The problem is that some events are absolutely same and Splunk ignores repeated values.
For example sum of
... smsresult=9
... smsresult=9
... smsresult=1
... smsresult=9
returns me not 28, but 10.
What I have to do to fix this?
Can you provide your full search that you're using?
In the example given is smsresult= a multiple kv field within the same event?
Try
* | mvexpand smsresult | stats sum(smsresult)
Stats sum will work fine (as intended) without mvexpand as well. see this runanywhere sample
| gentimes start=-1 | eval temp="1,3,3,3" | makemv temp delim="," | stats sum(temp) list(temp)