Solved: Sum values from a table

matansocher · ‎08-31-2017

Hi,

I have created a table in splunk and 1 of the fields is numeric('sloc').
I would like to sum the values for each 'core'

I was trying to write something like:

index=testeda_p groupID=sloc_data 
| table core sloc_date sloc
| stats sum(sloc) as sumForCore by core

But there are no results in the new field I created (sumForCore)
My result:

I have also tried:

| stats sum(tonumber(sloc)) as sumForCore by core

and nothing
what am I doing wrong?

Thanks

niketn · ‎08-31-2017

How are you getting yout sloc? Is it possible there are whitespaces (before and/or after)?

 index=testeda_p groupID=sloc_data
 | eval sloc=trim(sloc) 
 | stats sum(sloc) as sumForCore by core

Or extract only digits through rex (if you have decimal values your rex will change). Following rex is based on your sample data.

 index=testeda_p groupID=sloc_data
 | rex field=sloc "(?<sloc>\d+)"
 | stats sum(sloc) as sumForCore by core

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

matansocher · ‎08-31-2017

cmerriman, it didnt work for me. I think the problem was with the format of the numbers.
the trim function solve my problem.

cmerriman · ‎08-31-2017

do you ever have any null values is sloc?

try

 index=testeda_p groupID=sloc_data 
 | table core sloc_date sloc
 |fillnull sloc value=0
 | stats sum(sloc) as sumForCore by core

if that doesn't work, add |eval sloc=tonumber(sloc) before the fillnull command.

niketn · ‎08-31-2017

How are you getting yout sloc? Is it possible there are whitespaces (before and/or after)?

 index=testeda_p groupID=sloc_data
 | eval sloc=trim(sloc) 
 | stats sum(sloc) as sumForCore by core

Or extract only digits through rex (if you have decimal values your rex will change). Following rex is based on your sample data.

 index=testeda_p groupID=sloc_data
 | rex field=sloc "(?<sloc>\d+)"
 | stats sum(sloc) as sumForCore by core

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

matansocher · ‎08-31-2017

Thank you!
The trim function did solve my problem.

niketn · ‎08-31-2017

Anytime! Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

gcusello · ‎08-31-2017

Hi
did you tried

index=testeda_p groupID=sloc_data 
| stats values(sloc_date) AS sloc_date sum(sloc) as sumForCore by core

?
Bye.
Giuseppe

matansocher · ‎08-31-2017

Just tried and still no result in the sumForCore field

gcusello · ‎08-31-2017

two stupid tests
index=testeda_p groupID=sloc_data
| stats sum(sloc) by core

index=testeda_p groupID=sloc_data
| stats count by core

Bye.
Giuseppe

matansocher · ‎08-31-2017

the count works just fine but the sum return no value

gcusello · ‎08-31-2017

This means that sloc has a text format and you have to convert it in number.
try with

index=testeda_p groupID=sloc_data 
| eval sloc=tonumber(sloc)
| stats values(sloc_date) AS sloc_date sum(sloc) as sumForCore by core

Bye.
Giuseppe

matansocher · ‎08-31-2017

Still no results in sumForCore
count, min, max
only avg and sum doesn't

gcusello · ‎08-31-2017

yes: count min and max don't use numbers, infact if you verify 2 is greater that 15!
if you try index=_internal kb=* | head 100 | stats sum(kb) AS kb by host you can see that the method is correct.
you should verify format of sloc because there's some problem in format, maybe decimals.
try using

index=testeda_p groupID=sloc_data 
| convert num(sloc) AS sloc2
| stats values(sloc_date) AS sloc_date sum(sloc2) as sumForCore by core

Bye.
Giuseppe

matansocher · ‎08-31-2017

the last suggestion does not work either.
I will try to figure out the problem with the format
thanks

Sum values from a table

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life