supriya
Reputation: 31
how to apply multiple addition in Splunk
Hi Have below data from below query .. (index=abc OR index=def) |rex field=index "(?<Local_Market>[^cita]\w.*?)_" | chart count by blocked , Local_Market
blocked dub rat mil 0 10 20 21 1 02 03 09 2 9 2 1
Now i want the data as below
total bolocked(sumof 0 and sumof 2) dub rat mil total found(Sumof 1) (10+20+21+9+2+1)=63 10 20 21 (02+03+09)=14
Upvotes: 0
Views: 112
Answers (2)
RichG
Reputation: 9936
This run-anywhere example is ugly, but I believe it produces the desired results.
| makeresults
| eval _raw="blocked dub rat mil
0 10 20 21
1 02 03 09
2 9 2 1"
| multikv forceheader=1
| fields - _time _raw linecount
```Skip the above - it just creates test data```
```Compute the total_bolocked field for blocked=0 and blocked=2```
| eval total_bolocked=if(blocked!=1,dub+mil+rat,0)
```Compute the total_found field for blocked=1```
| eval total_found=if(blocked=1, dub+mil+rat,0)
```Add up the total_bolocked fields. This will include blocked=1, but we'll fix that below```
| eventstats sum(total_bolocked) as total_bolocked
```Set total_bolocked=0 if blocked is 1```
| eval total_bolocked=if(blocked=1,0, total_bolocked)
Upvotes: 0
RichG
Reputation: 9936
The question could be better formatted, but I think what you want is the addcoltotals command.
Upvotes: 1
Related Questions
- Splunk : How to sum the values of the fields that are a result of if condition
- Splunk - Displaying addcoltotals into its own column
- Count and sum in splunk
- How to add multiple queries in one search in Splunk
- nested condition in splunk
- Group events by multiple fields in Splunk
- In splunk How to apply Multiple filter on splunk
- Splunk how to combine two queries and get one answer
- How to append two queries in splunk?
- How to combine two queries in Splunk?