https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503721#M140625 <P>Thank you, <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/81823">@bmunson_splunk</a></P> Wed, 10 Jun 2020 12:15:24 GMT madhav_dholakia 2020-06-10T12:15:24Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503669#M140612 <P>Hello There,</P><P>I have got a search result as given below (without the highlighted row, i.e. Total):</P><TABLE border="1" width="102.19555943167241%"><TBODY><TR><TD width="20%" height="25px">Analyst</TD><TD width="20%" height="25px">Month</TD><TD width="20%" height="25px">Total Count</TD><TD width="20%" height="25px">SLA (%)</TD><TD width="10%" height="25px">Working Days</TD><TD width="10%">Daily Count (Total Count / Working Days)</TD></TR><TR><TD width="20%" height="25px">ABC</TD><TD width="20%" height="25px">May-20</TD><TD width="20%" height="25px">68</TD><TD width="20%" height="25px">97</TD><TD width="10%" height="25px">18</TD><TD width="10%">3.77</TD></TR><TR><TD width="20%" height="25px">DEF</TD><TD width="20%" height="25px">May-20</TD><TD width="20%" height="25px">45</TD><TD width="20%" height="25px">100</TD><TD width="10%" height="25px">20</TD><TD width="10%">2.25</TD></TR><TR><TD width="20%" height="25px">GHI</TD><TD width="20%" height="25px">May-20</TD><TD width="20%" height="25px">25</TD><TD width="20%" height="25px">94</TD><TD width="10%" height="25px">15</TD><TD width="10%">1.66</TD></TR><TR><TD width="20%" height="25px">JKL</TD><TD width="20%" height="25px">May-20</TD><TD width="20%" height="25px">86</TD><TD width="20%" height="25px">98</TD><TD width="10%" height="25px">22</TD><TD width="10%">3.91</TD></TR><TR><TD width="20%" height="25px"><STRONG>Total</STRONG></TD><TD width="20%" height="25px"><STRONG>May-20</STRONG></TD><TD width="20%" height="25px"><STRONG>224</STRONG></TD><TD width="20%" height="25px"><STRONG>97.25</STRONG></TD><TD width="10%" height="25px"><STRONG>75</STRONG></TD><TD width="10%"><STRONG>2.97<BR /></STRONG></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Data for all these columns (except "Working Days") is available through a DB Connect Database live feed. Data for column "Working Days" is stored in a csv lookup file (created through Lookup Editor).</P><P>Search which gives me above output (without <STRONG>Total</STRONG> Values) is something like:</P><LI-CODE lang="markup">| inputlookup TeamDetails.csv | addinfo | eval temp=strftime(info_min_time,"%B-%Y") | where Month_Year=temp | table Analyst Month_Year | join type=left Analyst [search index="idx_test" source="src_test" sourcetype="srctype_test" | sort -editTime | dedup id | lookup TeamDetails.csv Analyst OUTPUT WorkingDays | stats count as TotalCount by Analyst, WorkingDays | eval DailyCount=round(TotalCount/WorkingDays,2) | table Analyst DailyCount WorkingDays ] | join type=left Analyst [search index="idx_test" source="src_test" sourcetype="srctype_test" | sort -editTime | dedup id | eval inSLACount=if(SLA_Flag="1",1,0) | eval outSLACount=if(SLA_Flag="0",1,0) | stats sum(inSLACount) as insideSLA, sum(outSLACount) as outsideSLA, count(id) as TotalCount by Analyst | eval SLA=round(insideSLA/(TotalCount)*100,2) | table Analyst SLA TotalCount ] | table Analyst Month_Year TotalCount SLA WorkingDays DailyCount</LI-CODE><P>How can I change this search so that I get above given table output (including <STRONG>Total</STRONG> numbers).</P><P>Thank you.</P><P>Madhav</P> Wed, 10 Jun 2020 06:22:30 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503669#M140612 madhav_dholakia 2020-06-10T06:22:30Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503671#M140613 <P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="Analyst Month TotalCount SLA WorkingDays DailyCount ABC May-20 68 97 18 3.77 DEF May-20 45 100 20 2.25 GHI May-20 25 94 15 1.66 JKL May-20 86 98 22 3.91" | multikv forceheader=1 | table Analyst Month TotalCount SLA WorkingDays DailyCount | rename COMMENT as "this is your sample. from here, the logic" | appendpipe [| stats values(eval("Total")) as Analyst values(Month) as Month avg(SLA) as SLA avg(DailyCount) as DailyCount sum(TotalCount) as TotalCount sum(WorkingDays) as WorkingDays]</LI-CODE><P>&nbsp;</P><P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/65114">@madhav_dholakia</a>&nbsp;<BR />why don't you try appendpipe ?<BR /><BR />Please Accept and Upvote, If you'd like.</P> Wed, 10 Jun 2020 06:50:32 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503671#M140613 to4kawa 2020-06-10T06:50:32Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503673#M140614 <P>I would add this append pipe immediately before your table command.</P><LI-CODE lang="markup">| append [stats values(Month_Year) as Month_Year sum(TotalCount) as TotalCount avg(SLA) as SLA sum(WorkingDays) as WorkingDays avg(DailyCount) as DailyCount | eval Analyst = "Total" ] </LI-CODE><P>&nbsp;</P> Wed, 10 Jun 2020 06:52:39 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503673#M140614 bmunson_splunk 2020-06-10T06:52:39Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503720#M140624 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a> - works perfectly fine. Thank you very much.</P> Wed, 10 Jun 2020 12:13:05 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503720#M140624 madhav_dholakia 2020-06-10T12:13:05Z https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503721#M140625 <P>Thank you, <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/81823">@bmunson_splunk</a></P> Wed, 10 Jun 2020 12:15:24 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Search-for-Total-Values/m-p/503721#M140625 madhav_dholakia 2020-06-10T12:15:24Z