Re: Calculating the sum for unique ID within each ...

104K · ‎11-21-2013

Hello Splunkers,

I have two different sourcetypes that can be grouped by a unique id where one sourcetype has some numerical value and another ends with transaction "END" such as below:

sourcetype1

unique_ID, field_A

a, 10

b, 20

c, 5

a, 20

c, 30

sourcetype2

unique_ID, field_B

a, END

b, END

c, END

I would like to calculate the sum of field_A between "END" status for unique_ID.

What I have done so far is:

sourcetype=sourcetype1 OR sourcetype=sourcetype2 | transaction unique_ID startswith="END"

Any help is welcomed.

Thanks in advance.

104K

alacercogitatus · ‎11-21-2013

Without a more narrow parameter on time, I can only generalize the search. Which event happens first? The END or the values? Do you need it over a range?

This one only takes the timerange of the entire search.

sourcetype=sourcetype1 OR sourcetype=sourcetype2 | stats sum(field_B) by unique_id

This one limits each transaction to 15 minute spans, assigns a "complete transaction id" (via streamstats) and then shows the sum per transaction.

sourcetype=sourcetype1 OR sourcetype=sourcetype2 | transaction unique_ID maxspan=15m | streamstats count AS event_id| stats sum(field_B) by unique_id event_id

alacercogitatus · ‎12-11-2013

If this has helped you, please mark it accepted!

Calculating the sum for unique ID within each transaction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases