My search result is
Date a.log a.log.1 a.log.2 b.log b.log.1 b.log.2
8/1 4 3 4 5 6 7
8/2 4 3 4 5 6 7
8/3 4 3 4 5 6 7
8/4 4 3 4 5 6 7
now X =a.log+ a.log.1+a.log.2
now Y =b.log+ b.log.1+b.log.2
How can I do sum for X & Y for the entire day ?
Try addtotals
... | addtotals a.log* | rename Total as X | addtotals b.log* | rename Total as Y
let me know if this helps!
Try addtotals
... | addtotals a.log* | rename Total as X | addtotals b.log* | rename Total as Y
let me know if this helps!
worked like charm 🙂
Try foreach
.
... | eval X=0, Y=0 | foreach a.* [eval X = X + <<FIELD>>] | foreach b.* [eval Y = Y + <<FIELD>>] | ...
thank you.
@Vijeta please guide
@reverse Are these fixed number of fields for a & b? I am not sure what your question is but it seems you want to some these columns for each date
your search| eval X=a.log + a.log.1 + a.log.2| eval Y=b.log+ b.log.1+b.log.2| table Date X Y
" but it seems you want to some these columns for each date" - yes
The problem is I have multiple rolled logs suffixed with [.] and [numbers] OR [DATE].
for example ..
a.log.65
a.log.2019-08-10 and so on ..
I want to combine all a.logs
@reverse Please see the answers by richgalloway and mayur, that should work for you.