Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to sum up numeric value for a matching string pattern?

modipawan8126
New Member
‎03-24-2020 07:54 PM

Hi,

I have following pattern in my logs and i have need to sum up the numeric values. I want to sum up how many products persisted by evaluating following log statment?

2020-03-25 02:48:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 50

What would be the right way to sum up persisted product? In above example 50 products got persisted. So considering following logs, my requirement is to get sum of 150 product persisted.

2020-03-25 02:18:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 50
2020-03-25 02:28:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 40
2020-03-25 02:38:29.673  INFO 25916 [nio-8080-exec-8] p.m.R.XXXXXImpl     : Total number of manual products persisted - 60

Do need to add any field with eval expression? if yes how to achieve it?

regards,
Pawan Modi

0 Karma
Reply

woodcock
Esteemed Legend
‎03-26-2020 10:06 AM

First create an field extraction for this sourcetype so that persisted is always available for every search. Then just do this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo"
| stats sum(persisted) AS Total_Persisted BY host and/or other fields here

The field extraction might be something like this:

REGEX = Total number of manual products persisted\s*-\s*(?<persisted>\d+)
0 Karma
Reply

modipawan8126
New Member
‎03-26-2020 08:54 PM

thanks woodcock!! I will give a try.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-25-2020 07:47 AM

Assuming you have the persisted value extracted as 'persisted' then you can get the sum using | stats sum(persisted) as TotalPersisted.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

modipawan8126
New Member
‎03-25-2020 08:59 PM

Hi Rich,

I have extracted but not sure if that work because it has string literals as well as numeric values. How to read numeric value from extracted field? Sorry i am very new to this techonlogy.

regards,
Pawan Modi

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-26-2020 05:37 AM

In your example logs, the persisted field is only numeric so a proper extraction should not have non-numeric values. You may need to further process the field to eliminate non-numeric values.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...