https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512579#M2962 <P>Try getting the total count from dest_port.</P><LI-CODE lang="markup">| stats values(dest_port) as dest_port count(bytes) as count by app | eval total_count = mvcount(dest_port)</LI-CODE><P>&nbsp;</P> Wed, 05 Aug 2020 14:33:17 GMT richgalloway 2020-08-05T14:33:17Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512556#M2957 <P>Hi&nbsp;</P><P>Need help on my query, I want to achieve this kind of table shown below</P><P>What I want is to get the total_count value for each app by adding the values under count and get sum of it under total_count</P><P>&nbsp;</P><TABLE width="306"><TBODY><TR><TD width="97">app</TD><TD width="67">dest_port</TD><TD width="64">count</TD><TD width="78">total_count</TD></TR><TR><TD>ssl</TD><TD width="67">10001<BR />10020<BR />13000<BR />13006<BR />22790<BR />26107<BR />443<BR />44345<BR />4</TD><TD width="64">21<BR />2<BR />3<BR />2<BR />8<BR />19<BR />22<BR />55<BR />323</TD><TD>?</TD></TR><TR><TD>web-browsing</TD><TD width="67"><P>1000<BR />21<BR />443<BR />5000<BR />7788<BR />80<BR />8003<BR />8080</P></TD><TD width="64">2<BR />3<BR />4<BR />7<BR />1000<BR />200<BR />12<BR />21</TD><TD>?</TD></TR></TBODY></TABLE><P>&nbsp;</P> Wed, 05 Aug 2020 14:35:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512556#M2957 goringop 2020-08-05T14:35:32Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512564#M2959 <P>An eval should do it.</P><LI-CODE lang="markup">| stats values(dest_port) as dest_port count(bytes) as count by app | eval total_count = mvcount(count)</LI-CODE> Wed, 05 Aug 2020 14:08:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512564#M2959 richgalloway 2020-08-05T14:08:57Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512566#M2960 <P>it works <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> thank you for your help</P> Wed, 05 Aug 2020 14:10:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512566#M2960 goringop 2020-08-05T14:10:51Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512572#M2961 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>it seems that the count for each dest_port where gone, then Im getting the total_count with a value of 1</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="goringop_0-1596637374491.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10060i312523C6B51E6D89/image-size/medium?v=v2&amp;px=400" role="button" title="goringop_0-1596637374491.png" alt="goringop_0-1596637374491.png" /></span></P><P>&nbsp;</P> Wed, 05 Aug 2020 14:23:04 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512572#M2961 goringop 2020-08-05T14:23:04Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512579#M2962 <P>Try getting the total count from dest_port.</P><LI-CODE lang="markup">| stats values(dest_port) as dest_port count(bytes) as count by app | eval total_count = mvcount(dest_port)</LI-CODE><P>&nbsp;</P> Wed, 05 Aug 2020 14:33:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512579#M2962 richgalloway 2020-08-05T14:33:17Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512585#M2964 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;thanks for the reply but still not getting the correct value. please see below screenshot. Under the count column, I want to see all the value for each port then Under the total_count column I want to see the sum of counts for that specific app</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="goringop_0-1596638220253.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10065i117F6683A3C131E5/image-size/medium?v=v2&amp;px=400" role="button" title="goringop_0-1596638220253.png" alt="goringop_0-1596638220253.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 05 Aug 2020 14:41:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512585#M2964 goringop 2020-08-05T14:41:50Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512586#M2965 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>a table something like this:</P><TABLE width="306"><TBODY><TR><TD width="97">app</TD><TD width="67">dest_port</TD><TD width="64">count</TD><TD width="78">total_count</TD></TR><TR><TD>ssl</TD><TD width="67">10001<BR />10020<BR />13000<BR />13006<BR />22790<BR />26107<BR />443<BR />44345<BR />4</TD><TD width="64">21<BR />2<BR />3<BR />2<BR />8<BR />19<BR />22<BR />55<BR />323</TD><TD>455</TD></TR><TR><TD>web-browsing</TD><TD width="67"><P>1000<BR />21<BR />443<BR />5000<BR />7788<BR />80<BR />8003<BR />8080</P></TD><TD width="64">2<BR />3<BR />4<BR />7<BR />1000<BR />200<BR />12<BR />21</TD><TD>1249</TD></TR></TBODY></TABLE> Wed, 05 Aug 2020 14:49:55 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/512586#M2965 goringop 2020-08-05T14:49:55Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/515312#M3084 <P>Sorry.&nbsp; I misunderstood the request and read "total count" as a literal count.</P><P>I wrote an app that may help.&nbsp; Check out the mvstats app at&nbsp;<A href="https://splunkbase.splunk.com/app/5198/" target="_blank">https://splunkbase.splunk.com/app/5198/</A></P><P>Use it like this:&nbsp;</P><LI-CODE lang="markup">... | mvstats sum count as total_count</LI-CODE> Thu, 20 Aug 2020 21:03:50 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/515312#M3084 richgalloway 2020-08-20T21:03:50Z https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/516003#M3118 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;thank you for this, I will install the app and get back to you</P> Tue, 25 Aug 2020 11:51:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/Sum-of-Total-count-in-another-column/m-p/516003#M3118 goringop 2020-08-25T11:51:05Z