sumif
Synopsis
Displays the sum of the values in a specified column in the search query results based on a query to be executed on the record.
Syntax
sumif [column_name] “[search_query]”
Required Arguments
column_name
Syntax: <character string>
Description: The name of a column header that has numeric values
search_query
Syntax: <character string>
Description: The search query to be executed on the record
Optional Arguments
None
Description
For each event in the search query results that has the specified column_name with a numeric value, adds the value to the cumulative sum, and when it reaches the last event, displays the sum.
Examples
Example 1:
* in log.access | sumif Bytes Sent "status=200"
Returns the sum of the values in column Bytes Sent in the events from access log only if the value of column status is 200.
Example 2:
* in log.iis log| sumif time-taken "cs-host contains http" | group by c-ip
From the events from log.iss log that have the text http in their cs-host column, calculates the sum of the values in the time-taken column per each c-ip column value.