- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to graph the sum of field A where field B=TRUE...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question is the simple case of one set of conditions. My goal is to line graph (4) variations in one chart:
sum field A where field B=TRUE and field C=FALSE as outbound
sum field A where field B=FALSE and field C=TRUE as inbound
sum field A where field B=TRUE and field C=TRUE as internal
sum field A where field B=FALSE and field C=FALSE as passthru
pipe into a timechart by day.
This working Splunk search charts the number of records that satisfies each of the 4 tests, but I can't figure out how to sum the Field A (producer_filename_bytes) of those matching records to line chart the 4 cumulative bytes of each?
index=prd_sterling sourcetype="sfg:fg_activity" state=Routed | timechart per_day(eval(producer_is_internal="TRUE" and consumer_is_internal="FALSE")) AS TotalOutbound,
per_day(eval(producer_is_internal="FALSE" and consumer_is_internal="TRUE")) AS TotalInbound,
per_day(eval(producer_is_internal="TRUE" and consumer_is_internal="TRUE")) AS TotalInternal,
per_day(eval(producer_is_internal="FALSE" and consumer_is_internal="FALSE")) AS TotalPassThru
Thanks very much! -Marc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=prd_sterling sourcetype="sfg:fg_activity" state=Routed
| eval Outbound=if(producer_is_internal="TRUE" and consumer_is_internal="FALSE",producer_filename_bytes,0)
| eval Inbound=if(producer_is_internal="FALSE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval Internal=if(producer_is_internal="TRUE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval PassThru=if(producer_is_internal="FALSE" and consumer_is_internal="FALSE",producer_filename_bytes,0) |
| timechart per_day(Outbound) as TotalOutbound per_day(Inbound) as TotalInbound per_day(Internal) AS TotalInternal,
per_day(PassThru) AS TotalPassThru
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try like this
index=prd_sterling sourcetype="sfg:fg_activity" state=Routed
| eval Outbound=if(producer_is_internal="TRUE" and consumer_is_internal="FALSE",producer_filename_bytes,0)
| eval Inbound=if(producer_is_internal="FALSE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval Internal=if(producer_is_internal="TRUE" and consumer_is_internal="TRUE",producer_filename_bytes,0)
| eval PassThru=if(producer_is_internal="FALSE" and consumer_is_internal="FALSE",producer_filename_bytes,0) |
| timechart per_day(Outbound) as TotalOutbound per_day(Inbound) as TotalInbound per_day(Internal) AS TotalInternal,
per_day(PassThru) AS TotalPassThru
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks somesoni2! That works perfectly. Really appreciate the assist.
FYI to others, remove the second pipe ahead of the timechart command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @marcoeur5
Glad you found an answer through @somesoni2 🙂 Don't forget to resolve the post by clicking "Accept" directly below his answer. Also, be sure to upvote his answer for helping you out.
Cheers
Patrick
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
