Solved: Sum of field but grouped by another field Values

matt4321 · ‎03-29-2018

I have the following values:

OS= ex. windows, linux
CPUCount= ex. 4,8,16
MemoryCount= ex. 8,16,32
PhysicalVirtual= ex. Physical, Virtual

I would like to chart the sum of the following:
Virtual_Linux=sum(CPUCount)
Virtual_Windows=sum(CPUCount)

Same for Physical, then by Memory both Physical and Virtual etc..

Thanks for any help on getting me started on this.

Matt

elliotproebstel · ‎03-29-2018

How about this:

your base search
| eval Physical_Linux_CPU=if(PhyicalVirtual="Physical" AND OS="linux", CPUCount, 0)
| eval Physical_Windows_CPU=if(PhyicalVirtual="Physical" AND OS="windows", CPUCount, 0)
| eval Virtual_Linux_CPU=if(PhyicalVirtual="Virtual" AND OS="linux", CPUCount, 0)
| eval Virtual_Windows_CPU=if(PhyicalVirtual="Virtual" AND OS="windows", CPUCount, 0)
| eval Physical_Linux_Memory=if(PhyicalVirtual="Physical" AND OS="linux", MemoryCount, 0)
| eval Physical_Windows_Memory=if(PhyicalVirtual="Physical" AND OS="windows", MemoryCount, 0)
| eval Virtual_Linux_Memory=if(PhyicalVirtual="Virtual" AND OS="linux", MemoryCount, 0)
| eval Virtual_Windows_Memory=if(PhyicalVirtual="Virtual" AND OS="windows", MemoryCount, 0)
| stats sum(*_CPU) AS *_CPU sum(*_Memory) AS *_Memory

There's probably a cleaner way to do that using foreach, but I'm not confident about the syntax and don't have access to my Splunk instance at the moment. 🙂 But this should definitely work.

View solution in original post

elliotproebstel · ‎03-29-2018

How about this:

your base search
| eval Physical_Linux_CPU=if(PhyicalVirtual="Physical" AND OS="linux", CPUCount, 0)
| eval Physical_Windows_CPU=if(PhyicalVirtual="Physical" AND OS="windows", CPUCount, 0)
| eval Virtual_Linux_CPU=if(PhyicalVirtual="Virtual" AND OS="linux", CPUCount, 0)
| eval Virtual_Windows_CPU=if(PhyicalVirtual="Virtual" AND OS="windows", CPUCount, 0)
| eval Physical_Linux_Memory=if(PhyicalVirtual="Physical" AND OS="linux", MemoryCount, 0)
| eval Physical_Windows_Memory=if(PhyicalVirtual="Physical" AND OS="windows", MemoryCount, 0)
| eval Virtual_Linux_Memory=if(PhyicalVirtual="Virtual" AND OS="linux", MemoryCount, 0)
| eval Virtual_Windows_Memory=if(PhyicalVirtual="Virtual" AND OS="windows", MemoryCount, 0)
| stats sum(*_CPU) AS *_CPU sum(*_Memory) AS *_Memory

There's probably a cleaner way to do that using foreach, but I'm not confident about the syntax and don't have access to my Splunk instance at the moment. 🙂 But this should definitely work.

matt4321 · ‎03-30-2018

This seems to work perfectly! I had to make sense of how it handles all items that don't match as 0's but once I figured that out it turned out great!

Thanks very Much!
Matt

TISKAR · ‎03-29-2018

Hello,

I didn't understand very well, try using append command:

index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual | 
append[ index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual ]

Best regards

jluo_splunk · ‎03-29-2018

For two separate charts..

Charting CPU count for both Physical and Virtual and OS:

index=<your_index_here> | fields OS, CPUCount, PhysicalVirtual | chart sum(CPUCount) by OS, PhysicalVirtual

Charting Memory for both Physical and Virtual and OS:

index=<your_index_here> | fields OS, MemoryCount, PhysicalVirtual | chart sum(MemoryCount) by OS, PhysicalVirtual

kmaron · ‎03-29-2018

are you looking for one chart with all of your options? Or separate charts?

Sum of field but grouped by another field Values

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!