- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- summing values from stats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a query that produces a stats table that looks like this
company count
testco 100
testcoa 200
testcob 100
testcoc 500
nottestco 50
otherco 150
someco 300
I need to sum up the counts for each company. In this example testco, testcoa, testcob and testcoc are all the same company just different divisions. I need to return a value of 900 for testco, 50 for nottestco, 150 for otherco and 300 for someco.
Seems easy but my brain isn't working today......
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well I found a way to make it work, not sure if it is the best way though
index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name=subscribers |rex "\d+\s(?<mso>\w+)"|stats max(stat_val) as Subscribers by mso|where like(mso,"%testco%") |stats sum(Subscribers) as count
In the query testco is actually a token value, I substituted it just to illustrate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you literally have the table in the original post and just need the output you specified, I'd use this:
[ your search]
| eval company=if(like(company, "testco%"), "testco", company)
| stats sum(count) AS count BY company
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to use a lookup to federate this information and then search on that field.
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources
You may already have this information in the form of a DB or CMDB.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lamar,
I'm not sure I understand what you are trying to say....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What using a lookup provides is the efficiency of updating one source of information rather than have an incredibly monolithic macro (or god forbid, searches) that include the logic for handling all of the different companies in your data. You could even go so far as include other types of information about said company in the lookup that could return things like address, type of company, contact information...etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With a lookup, what you can do is something similar to this:
lookup_file.csv
mso|company
testco|Company1
testcoa|Company1
testcob|Company1
testcoc|Company1
otherco|Company2
someotherco|Company3
search
index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name=subscribers | lookup lookup_file mso OUTPUT company | eventstats count by company | stats sum(count) as totals by company
EDIT: a letter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well I found a way to make it work, not sure if it is the best way though
index=mso_statistics sourcetype=ic_connectivity_5min-too_small stat_name=subscribers |rex "\d+\s(?<mso>\w+)"|stats max(stat_val) as Subscribers by mso|where like(mso,"%testco%") |stats sum(Subscribers) as count
In the query testco is actually a token value, I substituted it just to illustrate
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
