Solved: Need to add the numeric value after split

AdixitSplunk · ‎12-29-2016

HI All,

I have a log like below,there are under Message field in the logs :
ApplicationName date. total: 2.This is the count: 35
ApplicationName date. total: 3.This is the count: 39

which is giving below result as expected:
num num1
35 2
39 3

what i want is Sum :
num num1
35 2
39 3
Total 74 5
I have tried : query|addcolstotal num num1 and stats sum(num) by host etc...but they are just not working .

Thanks in advance

somesoni2 · ‎12-29-2016

Give this a try

index=xyz sourcetype=abc 
| rex field=Message "total:\s*(?<num1>\d+).+count:\s*(?<num2>\d+)"
| table num1 num2
| addcoltotals

View solution in original post

somesoni2 · ‎12-29-2016

Give this a try

index=xyz sourcetype=abc 
| rex field=Message "total:\s*(?<num1>\d+).+count:\s*(?<num2>\d+)"
| table num1 num2
| addcoltotals

AdixitSplunk · ‎12-29-2016

Thank you ..... It really helped

cmerriman · ‎12-29-2016

Try adding tonumber.

index=xyz sourcetype=abc|eval field=split(Message,":")|eval num=tonumber(mvindex(field,2))|eval field2=split(mvindex(field,1),".")|eval num1=tonumber(mvindex(field2,0))|table num num1

Need to add the numeric value after split

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases