Splunk Search

How to show stats sum for a field using a value produced from an eval statement?

franksteinar
New Member

Hi,

I have one field with values for each month, and this eval gives me the current month name(current February);

eval mnd=strftime(_time, "%B")

Field1 is named January, Field2 February...

But when I try to sum this field with stats, I get no results;

stats sum(mnd)

I want this search to automatically show the current month's sum, and not using a static value in the stats sum expression.

0 Karma

sunnyparmar
Communicator

| stats count by mnd

or

| stats count by sum(mnd)

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The first one is right. The second doesn't seem to make any sense.

I think you may have meant (for the second one)

| stats sum(SomeField) as "Total of SomeField" by mnd

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you looking for a sum of some field and you want column (with sum) for each month?? If that's the case try something like this

your base search | eval mnd=strftime(_time, "%B")  | eval temp=1 | chart sum(WhateverFieldYouWantToSum) over temp by mnd | fields - temp
0 Karma

franksteinar
New Member

Hi,

the challenge here is that "WhateverFieldYouWantToSum" is a static reference to a field, I need a dynamic reference to a field.
From my last post:
What I want to accomplish, is to present a dashboard showing the sum of values from the month we are currently in. For now, that is February, and even though I easily can display February with a static expression;
stats sum(February)

that means I need to maintain this manually every month to match the month we are currently in. How can I make this flexible, so that the stats sum choose the current month. Each month is represented with its own field(or column).

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Here the month name (which will appear as a column name) is dynamic only. Not sure if you tried this at all..

Could you provide the current search where you've to provide the Month name using static expression??

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi, sorry I'm a bit confused by your question.
%B is creating a string therefore you can't sum it in Splunk.

If you want to sum months using integers simply use %m instead.

Stats won't care about whether your field comes from an eval or not. A field is a field.

Please let me know if that's not what you are looking for.

0 Karma

franksteinar
New Member

Hi,

sorry, I will try to be more presise. What I want to accomplish, is to present a dashboard showing the sum of values from the month we are currently in. For now, that is February, and even though I easily can display February with a static expression;
stats sum(February)

that means I need to maintain this manually every month to match the month we are currently in. How can I make this flexible, so that the stats sum choose the current month. Each month is represented with its own field(or column).

Hope this makes more sense:)

PS! Using %m did not make any difference, even though I adjusted the fields/columns to 01, 02, 03...

0 Karma

javiergn
SplunkTrust
SplunkTrust

If you want to display the current monthly dynamically simply use the following:

| eval current_month = strftime(now(), "%B")

Then restrict your search to only return events for the month we are currently in:

index=foo sourcetype=bar earliest=@mon

Hope that makes sense.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...