Splunk Search

Can you help me sum the data in the following field?

maheshsat
Explorer

Hi Team,

I have PATA field which needs to do sum of PATA field, am using below command where should add PATA to get sum of PATA field

index=pass  source="test" |eval DATE = YEAR."-".PERIOD| fields DATE | stats count by DATE

2018-10-24 14:43:50.556, S_DATE="201208", SCENARIO="Actual", YEAR="2016", PERIOD="Feb", VIEW="YTD", ENTITY="109", ENTITY_DESC="Test Canada Inc.", MARKET="Canada", ACCOUNT="922002", ACCOUNT_DESC="922002 - Employee Activity Food Bev", INTER_ENTITY="[ICP None]", VALUE="[Parent Total]", RC="21102", SUBACCOUNT="000000", INTER_RC="000000", PRODUCT="000000", CUSTOM5="USD_FUNC_Total", DATA_TYPE="Total_Late", PATA="179.03919201"
Tags (2)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

If you want count and sum both, try below query

index=pass source="test" |eval DATE = YEAR."-".PERIOD| fields DATE, PATA | stats count, sum(PATA) AS Total_PATA by DATE

View solution in original post

0 Karma

Vijeta
Influencer

Try this-

index=pass source="test" |eval DATE = YEAR."-".PERIOD| fields DATE, PATA | stats count ,sum(PATA) AS Total_PATA by DATE
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

If you want count and sum both, try below query

index=pass source="test" |eval DATE = YEAR."-".PERIOD| fields DATE, PATA | stats count, sum(PATA) AS Total_PATA by DATE
0 Karma

maheshsat
Explorer

Thanks Its woking, Appreciate for your help

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Great that your problem is solved 🙂

0 Karma

maheshsat
Explorer

yes i did your command , but count field is missing , and getting two fields Date and PATA

0 Karma

maheshsat
Explorer

Thanks for quick reply

index=pass source="test" |eval DATE = YEAR."-".PERIOD| fields DATE | stats count by DATE

getting below output

Date Count
2016-Apr 6000
2016-Aug 1000
2016-Dec 1229

My requirement

Date Count PATA
2016-Apr 6000

2016-Aug 1000
2016-Dec 1229

It should sum of PATA data with year and month wise , visible in PATA field

your command does not add count field , hence it is not working

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Have you tried to run query which I have provided ? You are still doing stats count instead of stats sum(PATA).... as I mentioned in previous comment.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Can you please try below query ?

index=pass source="test" |eval DATE = YEAR."-".PERIOD| fields DATE, PATA | stats sum(PATA) AS Total_PATA by DATE
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...