https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351996#M104155 <P>I have a query that ends with:</P> <P>| eval error_message=mvindex(splited,0) | stats count as error_count by error_message | sort error_count desc | eval error_rate=round(error_count/(<STRONG>TOTAL_ERRORS</STRONG>)*100,0)</P> <P>Which produces a table with 3 columns: | error_message | error_count | error_rate |</P> <P>error_count represents the number of error_message occurrences for each error_message .</P> <P>I'm trying to create a variable named <STRONG>TOTAL_ERRORS</STRONG> that would represent the total sum of all error_count values (the total number of all error_message occurrences of any type). I need the <STRONG>TOTAL_ERRORS</STRONG> variable in order to calculate the error_rate for each error_message.</P> <P>I need help in creating this <STRONG>TOTAL_ERRORS</STRONG> variable.</P> <P>I tried to do that with </P> <BLOCKQUOTE> <P>stats sum(error_count)</P> </BLOCKQUOTE> <P>which resulted in a table with a single row of the grand total. </P> <P>I don't want <STRONG>TOTAL_ERRORS</STRONG> to have any effect on the table. I need it only for calculations.</P> <P>Thank you,<BR /> Samuel</P> Tue, 29 Sep 2020 15:14:44 GMT vshakur 2020-09-29T15:14:44Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351996#M104155 <P>I have a query that ends with:</P> <P>| eval error_message=mvindex(splited,0) | stats count as error_count by error_message | sort error_count desc | eval error_rate=round(error_count/(<STRONG>TOTAL_ERRORS</STRONG>)*100,0)</P> <P>Which produces a table with 3 columns: | error_message | error_count | error_rate |</P> <P>error_count represents the number of error_message occurrences for each error_message .</P> <P>I'm trying to create a variable named <STRONG>TOTAL_ERRORS</STRONG> that would represent the total sum of all error_count values (the total number of all error_message occurrences of any type). I need the <STRONG>TOTAL_ERRORS</STRONG> variable in order to calculate the error_rate for each error_message.</P> <P>I need help in creating this <STRONG>TOTAL_ERRORS</STRONG> variable.</P> <P>I tried to do that with </P> <BLOCKQUOTE> <P>stats sum(error_count)</P> </BLOCKQUOTE> <P>which resulted in a table with a single row of the grand total. </P> <P>I don't want <STRONG>TOTAL_ERRORS</STRONG> to have any effect on the table. I need it only for calculations.</P> <P>Thank you,<BR /> Samuel</P> Tue, 29 Sep 2020 15:14:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351996#M104155 vshakur 2020-09-29T15:14:44Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351997#M104156 <P>Hi<BR /> add to your search</P> <PRE><CODE>| eventstats stats sum(error_count) AS Total </CODE></PRE> <P>and use it for your calculation.</P> <P>Bye.<BR /> Giuseppe</P> Fri, 04 Aug 2017 15:18:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351997#M104156 gcusello 2017-08-04T15:18:13Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351998#M104157 <P>Thank you for your answer, but I'm getting the following error message:<BR /> <STRONG>Error in 'eventstats' command. The argument 'stats' is invalid</STRONG></P> Fri, 04 Aug 2017 15:34:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351998#M104157 vshakur 2017-08-04T15:34:00Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351999#M104158 <P>yeah, delete the word stats.</P> Fri, 04 Aug 2017 15:35:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/351999#M104158 DalJeanis 2017-08-04T15:35:54Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/352000#M104159 <P>Sorry!</P> <PRE><CODE>| eventstats sum(error_count) AS Total </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 04 Aug 2017 15:37:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/352000#M104159 gcusello 2017-08-04T15:37:27Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/352001#M104160 <P>Thanks guys, it worked, but I got an extra unnecessary "Total" column in my table.<BR /> Ho do I get the Total without affecting the table.</P> Fri, 04 Aug 2017 16:01:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/352001#M104160 vshakur 2017-08-04T16:01:05Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/352002#M104161 <P>Add <BR /> | fields - Total <BR /> after the calculation.<BR /> If this answer solves your need, please accept it.<BR /> Bye.<BR /> Giuseppe</P> Fri, 04 Aug 2017 16:52:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-sum-of-counts-variable/m-p/352002#M104161 gcusello 2017-08-04T16:52:16Z