Hello,
How to sums values from fields that may not exists? I want to sums fields (if exists ) with this pattern: networks.^[a-zA-Z0-9]*$.rx_bytes
For example:
index=myindex sourcetype=mysourcetype| eval count=('networks.eth0.rx_bytes' + 'networks.eth1.rx_bytes' + 'networks.eth2.rx_bytes' + 'networks.eth(n).rx_bytes' )
Thanks
Try this!
... | addtotals fieldname=count network.*.rx_bytes
Does not work.
Sample data:
https://pastebin.com/9sRs35Z3
EDIT: ofcourse, there is typo in field name. Network vs Networks
Try this. The foreach
command accepts wildcards, but not regular expressions.
index=myindex sourcetype=mysourcetype | eval count=0 | foreach network.*.rx_bytes [eval count=count+<<FIELD>>] | table count
If you need to be specific about field matching, try this query.
index=myindex sourcetype=mysourcetype | eval count=0 | foreach network.*.rx_bytes [eval count=if(match(<<FIELD>>,"networks.^[a-zA-Z0-9]*$.rx_bytes"),count+<<FIELD>>, count)] | table count
Does not work.
Sample data:
https://pastebin.com/9sRs35Z3
EDIT: ofcourse, there is typo in field name. Network vs Networks