My Splunk log is coming in this format:
\"amountLabel\":\"Amount\",\"amountValue\":\"6000.00\",\"sentOrDepositLabel\".......
I want to sum the values of 'amountValue' field and show it in a table for a specified period of time. Please let me know how can I do it.
First extract the amountValue field.
Link to Regex: https://regex101.com/r/UcePur/1
SearchString: index=foo sourcetype=xyz ....|timechart span=1h sum(amountValue) AS TotalSum
hope this helps
First extract the amountValue field.
Link to Regex: https://regex101.com/r/UcePur/1
SearchString: index=foo sourcetype=xyz ....|timechart span=1h sum(amountValue) AS TotalSum
hope this helps
Aggregation uses stats.
| stats sum(amountValue)
If you extract the field with the search sentence
| extract pairdelim=",", kvdelim=":"
| stats sum(amountValue)
Refer to the manual for how to set field extraction.
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/ExtractfieldsinteractivelywithIFX