Splunk Search

How do I edit my search to get the sum for an eval calculated field?

rbushman
New Member

I am trying to add to the search below so that I can get a cumulative total of the elapsed time calculation. I want one line for each store and Stall with a count of each disconnect that occurred and a sum of the elapsed time.

index="stalldisconnected_trace_index" Store=1004 | eval it = strptime(StartTime, "%Y-%m-%dT%H:%M:%S.%3N")  | eval ot = strptime(EndTime, "%Y-%m-%dT%H:%M:%S.%3N")  | eval ElapsedTime = tostring((ot - it), "duration") | Table Store,Stall,ElapsedTime

I have this search that gives me the count of the disconnects by store and stall

index="stalldisconnected_trace_index"  | Stats Count(Stall) as Disconnects by Store,Stall |Sort -Disconnects,Store,Stall | Head 20
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index="stalldisconnected_trace_index"  | eval it = strptime(StartTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ot = strptime(EndTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ElapsedTime = (ot - it) | stats Count(Stall) as Disconnects sum(ElapsedTime) as ElapsedTime by Store,Stall |Sort -Disconnects,Store,Stall | Head 20 | eval ElapsedTime = tostring(ElapsedTime, "duration")

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

index="stalldisconnected_trace_index"  | eval it = strptime(StartTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ot = strptime(EndTime, "%Y-%m-%dT%H:%M:%S.%3N") | eval ElapsedTime = (ot - it) | stats Count(Stall) as Disconnects sum(ElapsedTime) as ElapsedTime by Store,Stall |Sort -Disconnects,Store,Stall | Head 20 | eval ElapsedTime = tostring(ElapsedTime, "duration")

rbushman
New Member

somesoni2, that almost worked. The ElapsedTime is blank. That is the issue I was having when I tried to make it figure it out on my own.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Got the issue. You're converting the ElapsedTime is converted to string before stats causing it to fail during sum. Try the updated answer.

0 Karma

rbushman
New Member

Thanks, that worked like a champ!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...