Count values from fields that may not exist

Rialf1959 · ‎10-27-2017

Hello,
How to sums values from fields that may not exists? I want to sums fields (if exists ) with this pattern: networks.^[a-zA-Z0-9]*$.rx_bytes

For example:

    index=myindex sourcetype=mysourcetype| eval count=('networks.eth0.rx_bytes' + 'networks.eth1.rx_bytes' + 'networks.eth2.rx_bytes' + 'networks.eth(n).rx_bytes' )

Thanks

HiroshiSatoh · ‎10-27-2017

Try this!

... | addtotals fieldname=count network.*.rx_bytes

Rialf1959 · ‎10-30-2017

Does not work.
Sample data:
https://pastebin.com/9sRs35Z3

EDIT: ofcourse, there is typo in field name. Network vs Networks

richgalloway · ‎10-27-2017

Try this. The foreach command accepts wildcards, but not regular expressions.

index=myindex sourcetype=mysourcetype | eval count=0 | foreach network.*.rx_bytes [eval count=count+<<FIELD>>] | table count

If you need to be specific about field matching, try this query.

index=myindex sourcetype=mysourcetype | eval count=0 | foreach network.*.rx_bytes [eval count=if(match(<<FIELD>>,"networks.^[a-zA-Z0-9]*$.rx_bytes"),count+<<FIELD>>, count)] | table count

---
If this reply helps you, Karma would be appreciated.

Rialf1959 · ‎10-30-2017

Does not work.
Sample data:
https://pastebin.com/9sRs35Z3

EDIT: ofcourse, there is typo in field name. Network vs Networks

Count values from fields that may not exist

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor