Splunk Search

How to sum up numeric value for a matching string pattern?

modipawan8126
New Member

Hi,

I have following pattern in my logs and i have need to sum up the numeric values. I want to sum up how many products persisted by evaluating following log statment?

2020-03-25 02:48:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 50

What would be the right way to sum up persisted product? In above example 50 products got persisted. So considering following logs, my requirement is to get sum of 150 product persisted.

2020-03-25 02:18:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 50
2020-03-25 02:28:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 40
2020-03-25 02:38:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 60

Do need to add any field with eval expression? if yes how to achieve it?

regards,
Pawan Modi

0 Karma

woodcock
Esteemed Legend

First create an field extraction for this sourcetype so that persisted is always available for every search. Then just do this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"
| stats sum(persisted) AS Total_Persisted BY host and/or other fields here

The field extraction might be something like this:

REGEX = Total number of manual products persisted\s*-\s*(?<persisted>\d+)
0 Karma

modipawan8126
New Member

thanks woodcock!! I will give a try.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming you have the persisted value extracted as 'persisted' then you can get the sum using | stats sum(persisted) as TotalPersisted.

---
If this reply helps you, Karma would be appreciated.
0 Karma

modipawan8126
New Member

Hi Rich,

I have extracted but not sure if that work because it has string literals as well as numeric values. How to read numeric value from extracted field? Sorry i am very new to this techonlogy.

regards,
Pawan Modi

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In your example logs, the persisted field is only numeric so a proper extraction should not have non-numeric values. You may need to further process the field to eliminate non-numeric values.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...