I'm trying hard to achive the following,
assume i have this data:
DATE=20200101 ITEM1=1 ITEM2=10
DATE=20200102 ITEM1=2 ITEM2=20
DATE=20200103 ITEM1=3 ITEM2=30
....
DATE=20200131 ITEM1=5 ITEM2=40
DATE=20200201 ITEM1=1 ITEM2=10
DATE=20200202 ITEM1=2 ITEM2=20
DATE=20200203 ITEM1=3 ITEM2=20
...
DATE=20200228 ITEM1=4 ITEM2=20
I'd like to multiply ITEM1 with ITEM2 and show it in the field dailytot,
the table query looks then:
DATE=*
 rex field=_raw "DATE=\d+(?<Month>(.*))\d+ "
 rex field=_raw "DATE=(?<Year>(.*))\d+\d+ "
 rex field=_raw "DATE=\d+\d+(?<Day>(.*)\s{1})ITEM1"
 stats sum(ITEM1) as ITEM1 sum(ITEM2) as ITEM2 by Month, Year, Day
 eval Daytot = ( ITEM1 * ITEM2)
 addcoltotals ITEM1, ITEM2, Daytot labelfield=Month label=Total
The output looks like:
Month Year Day ITEM1 ITEM2 Daytot
01 2020 01 1 10 10
01 2020 02 2 20 40
01 2020 03 3 30 90
01 2020 31 5 40 200
02 2020 01 1 10 10
02 2020 02 2 20 40
02 2020 03 3 20 60
02 2020 28 4 20 80
Total 21 170 530
All good so fare but i would like to get monthly totals like this:
Month Year ITEM1 ITEM2 Daytot
01 2020 11 100 340
02 2020 10 70 190
Total 2020 21 170 530
I was thinking about to append one more search and do one more calculate:
DATE=*
 rex field=_raw "DATE=\d+(?<Month>(.*))\d+ "
 rex field=_raw "DATE=(?<Year>(.*))\d+\d+ "
 rex field=_raw "DATE=\d+\d+(?<Day>(.*)\s{1})ITEM1"
 stats sum(ITEM1) as ITEM1 sum(ITEM2) as ITEM2 by Month, Year

append [
 stats sum(ITEM1) as ITEM1 sum(ITEM2) as ITEM2 by Month, Year, Day
 eval Daytot = ( ITEM1 * ITEM2) ]
 addcoltotals ITEM1, ITEM2, Daytot labelfield=Month label=Total
But the above try doesn't take me anywhere.
splunkenterprisedailymonthmultiplyThu, 17 Oct 2019 16:42:42 GMTmkrauss1
Hi,
Can someone please help me with this query? I am trying to multiply the fields Batch_Size and count and return the results in the tc field. I tried the above syntax but it did not work.
The first three lines of this query work fine by itself. After adding the lines 4,5, it does not return anything.
"\(TOTAL_REC\)::"
rex field=_raw "(\(TOTAL_REC\)::)(?P\s(\d))"
stats count by Batch_Size
 eval tc = Batch_Size*count
 stats sum(tc) as tc
Any help will be appreciated.
multiplyTue, 13 Aug 2019 12:23:02 GMTrlaul
Hi.
I have one issue with my search. I need to multiply three fields to get another new field. When I do the multiply, in some cases it works right, but with some values it rounds the result...
For example:
I need to multiply next fields: `cw \* tcw \* aw` and put the result in the field called wt. There's no problem when these fields are integers, in this case Splunk multiplies them well, but when these fields are decimal, Splunk rounds the result, and I don't know why.
![alt text][1]
The part of the search that does this is:
 convert num(cw) as cw, num(tcw) as tcw, num(aw) as aw
 eval wt=cw \* tcw \* aw
 stats values(wt) values(cw) values(tcw) values(aw) by Month, cou, techclu, app, appid, act, ow, aid, acty, afm ,camp
Anyone knows what can be happening?? I've tried all, and it returns me the same result again and again.
Thanks!!
searchevalexactmultiplyMon, 22 May 2017 08:59:29 GMTnsanchezfernandez
Hi
I have a table as below.
severity S0 S1 S2 S3
event A 1 0 0 0
event B 0 2 0 0
event C 0 1 1 0
each column has different weight. for example S0 = 1,000,000, S1 = 10,000, S2 = 100, S3 = 1. i want to sort the event based on the weight multiply by the event number.
sortweightedmultiplyWed, 10 May 2017 14:59:00 GMThakusama1024
Hi all,
I am having trouble figuring out how to multiply the number of events by the values that are given in the fields of those events and then plotting those results for the last 7 days.
For example: I have 3 logs for February 1 where each log has **event=total_cards** and the value for total_cards is 1000, 500, 400.
I would like to be able to essentially add the value of total_cards (1000+500+400) and display that result for each day in the last 7 days.
base search stats count by total_cards  eval total = (total_cards*count)  eventstats sum(total) AS Total  table Total  table _time Total
statsevaleventstatscalculatemultiplyThu, 02 Feb 2017 23:14:22 GMTdemkic
I have the following search
index="commercial_performance" Cat1="Unit Cost Modelled Standard Activity Rate" Value!="within *" $month_token$ $Customer_token$ $SL_token$  stats avg(Value) AS "Planned" by Cat
 appendcols [search index="commercial_performance" Cat1="Unit Cost Actual" Value!="within *" $month_token$ $Customer_token$ $SL_token$  stats avg(Value) AS "Actual" by Cat]
valuemultiplyTue, 29 Sep 2015 15:45:03 GMTdeanamite91
Hi,
I have an app with a time dropdown.
I want to use earliest time as double the earliest time selected by the user.
If a user selects 6 minute ago, the search should take 12 days ago as earliest time through the token.
I got it using $timevalue.earliest$$timevalue.earliest$ in earliest time in place of $timevalue.earliest$
[where $timevalue.earliest$ is token for time drop down.]
But the problem is when a user is selects particular dates for running the search. In that case, the epoch value is getting generated and my app is showing invalid earliest time.
Is there any way to solve this?
timetokenepochearliesttimemultiplyMon, 27 Jul 2015 10:26:05 GMTektasiwani
I have a search that returns the survival rate over time. For instance:
Time SurvivalRate
1 0.98
2 0.96
3 0.65
4 1
. .
. .
. .
I would like to show a running survival rate that is like streamstats sum(survivalRate), but instead of adding the numbers in each new line, it multiplies it. So it would return something like this:
Time SurvivalRate RunningSurvivalRate
1 0.98 0.98
2 0.96 0.9408 (0.98 * 0.96)
3 0.65 0.61152 (0.9408 * 0.65)
4 1 0.61125 (0.61152 * 1)
. .
. .
. .
Am I using the wrong tool for this job? Is there a streamstats function that I am ignorant of?
statssummultiplyTue, 21 Jul 2015 04:03:32 GMTAmohlmann