sumif

Synopsis

Displays the sum of the values in a specified column in the search query results based on a query to be executed on the record.

Syntax

sumif [column_name] “[search_query]”

Required Arguments

column_name

Syntax: <character string>

Description: The name of a column header that has numeric values

search_query

Syntax: <character string>

Description: The search query to be executed on the record

Optional Arguments

None

Description

For each event in the search query results that has the specified column_name with a numeric value, adds the value to the cumulative sum, and when it reaches the last event, displays the sum.

Examples

Example 1:  

* in log.access | sumif Bytes Sent "status=200"

Returns the sum of the values in column Bytes Sent in the events from access log only if the value of column status is 200.

Example 2:  

* in log.iis log| sumif time-taken "cs-host contains http" | group by c-ip 

From the events from log.iss log that have the text http in their cs-host column, calculates the sum of the values in the time-taken column per each c-ip column value.