Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

sum fields in same event

jrizzobwa
New Member
‎06-26-2010 03:36 AM

I need to sum fields by other fields in the same event.

Here is an example event:

_time                                somefieldname   somefieldvalue
6/26/10 3:09:23.000 AM               A               1
                                     A               1
                                     B               2
                                     B               2

How could I sum the values in somefieldvalue by somefieldname, then graph the sum. IE '| timechart span=1m avg(somefieldvalue) by somefield.'

For this event on the timechart A would equal to 2 and B would equal to 4.

I'm at a loss. Any help is appreciated.

Thanks, Joe

Tags (1)
0 Karma
Reply

Jordan_Brough
Path Finder
‎06-29-2012 08:12 AM

Here's a custom search command I wrote that provides an "mvsum" operator: http://jordan.broughs.net/archives/2012/06/mvsum-for-splunk-summing-multi-valued-fields-within-a-sin...

0 Karma
Reply

jrizzobwa
New Member
‎06-30-2010 09:56 PM

I ended up splitting the event into multiple events using split. Then I could use stats and timechart as expected.

Thanks, Joe

0 Karma
Reply

Lowell
Super Champion
‎06-28-2010 05:22 PM

You might be able to use multikv depending on how your actual raw text is structured. If you are dealing with a text table like format (like shown in your example), then this should work:

... | multikv fields somefieldname somefieldvalue | timechart sum(somefieldvalue) by somefieldname

However, if somefieldname and somefieldvalue are two independent multi-value fields, then we are looking at the scenario that Nick was referring to. Although, I'm not sure I follow what he is suggesting that you do. I'm not sure this case can be solved without using a custom search script.

Reply

sideview
SplunkTrust
SplunkTrust
‎06-26-2010 06:19 AM

seems like a strange way to have the data extracted, if I follow it correctly.

If your data was instead extracted where A and B were the actual field names, and they had multivalued values of [1,1] and [2,2] respectively, instead of the 'somefieldname' and 'somefieldvalue' fields, it would be a bit easier. In such a case you could get to your end result with: 

<your search> | stats sum(A) sum(B) by _time, _serial

Apart from that, i think what you need is to use one of the multivalue operators to break out your events into individual single value events and then do a stats by _time _serial as in the above.

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...