https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512800#M143844 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129407">@thambisetty</a>&nbsp; &nbsp;<SPAN>So my data structure has four columns: "Month", "Status", "Accepted", "Value". The two things I'm trying to graph are: 1) the total values per month no matter what Status/Accepted, 2) the total values per month where "Status=Done and Accepted = Done".&nbsp;&nbsp;</SPAN></P> Thu, 06 Aug 2020 16:07:24 GMT Username1 2020-08-06T16:07:24Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512787#M143837 <P>So my data structure has four columns: "Month", "Status", "Accepted", "Value". As the title suggest I'm trying to determine two things: 1) the total values per month, 2) the total values per month where "Status=Done and Accepted = Done". I have the query working for the first one but I'm having difficulty with the second. Does anyone have any ideas how to do this? Thanks!</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=index |table Month, Status, Accepted, Value | eval _time=strptime(scan_date,"%Y-%m-%d") | stats sum(Value) as total_value_per_month by Month</LI-CODE> <P>&nbsp;</P> Thu, 06 Aug 2020 23:35:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512787#M143837 Username1 2020-08-06T23:35:51Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512791#M143839 <P>index=index Status=Done Accepted=Done</P><P>| stats sum(Value) by Month</P> Thu, 06 Aug 2020 15:49:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512791#M143839 thambisetty 2020-08-06T15:49:11Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512792#M143840 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129407">@thambisetty</a>&nbsp; Thanks for responding! If i do that how will I count where Status = 'Not Done" by Month?</P><P>&nbsp;</P> Thu, 06 Aug 2020 15:52:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512792#M143840 Username1 2020-08-06T15:52:51Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512794#M143841 <P>I believe you are looking for different query?</P><P>If yes,</P><P>index=index Status=“not done”&nbsp;</P><P>| stats sum(Value) by Month.</P><P>&nbsp;</P><P>up vote if it solves your problem.</P> Thu, 06 Aug 2020 15:57:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512794#M143841 thambisetty 2020-08-06T15:57:06Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512796#M143842 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129407">@thambisetty</a>&nbsp;Is there no way I can have one query? The end goal is to have a visual</P><P>&nbsp;</P> Thu, 06 Aug 2020 15:58:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512796#M143842 Username1 2020-08-06T15:58:20Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512797#M143843 <P>Write down all your cases to combine. We need to use Case statement.</P><P>for example:&nbsp;</P><P>if Status=Done Accepted=Done -&gt; Done</P><P>if status =“Not Done” -&gt; “Not Done”</P><P>and expected output in table format.</P> Thu, 06 Aug 2020 16:02:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512797#M143843 thambisetty 2020-08-06T16:02:45Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512800#M143844 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129407">@thambisetty</a>&nbsp; &nbsp;<SPAN>So my data structure has four columns: "Month", "Status", "Accepted", "Value". The two things I'm trying to graph are: 1) the total values per month no matter what Status/Accepted, 2) the total values per month where "Status=Done and Accepted = Done".&nbsp;&nbsp;</SPAN></P> Thu, 06 Aug 2020 16:07:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512800#M143844 Username1 2020-08-06T16:07:24Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512802#M143845 <P>index=index</P><P>| eval done=if(Status=“Done” AND Accepted=“Done”,”1”,”0”)</P><P>| stats sum(Value) as all , sum(done) as done by Month</P> Thu, 06 Aug 2020 16:13:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512802#M143845 thambisetty 2020-08-06T16:13:31Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512812#M143847 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129407">@thambisetty</a>&nbsp; I tried running that and it returned "<SPAN>Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”1”,”0”)'."<BR /><BR />If I do that how would the `done`&nbsp; eval be able to sum all of the Values, as Values range from .25 - 10</SPAN></P> Thu, 06 Aug 2020 16:48:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512812#M143847 Username1 2020-08-06T16:48:18Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512815#M143848 <P>index=index</P><P>| eval done=if(Status=“Done” AND Accepted=“Done”,”1”,”0”)</P><P>| stats sum(Value) as all , sum(done) as done by Month</P><P><BR />replace double quotes with double quotes from your key board.</P><P>&nbsp;</P><P>your query is not clear.</P> Thu, 06 Aug 2020 16:56:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512815#M143848 thambisetty 2020-08-06T16:56:31Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512872#M143866 <P>Check this and upvote if it solves your problem.</P> Thu, 06 Aug 2020 19:50:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512872#M143866 thambisetty 2020-08-06T19:50:31Z https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512879#M143869 <LI-CODE lang="markup">index=YOURINDEX sourcetype=YOURSOURCETYPE | stats sum(Value) as TotalValue by Month | append [ searchindex=YOURINDEX sourcetype=YOURSOURCETYPE Status="Done" Accepted="Done" | stats sum(Value) as TotalVal_Done by Month] | stats values(TotalValue) as TotalValue values(TotalVal_Done) as TotalVal_Done by Month</LI-CODE> Thu, 06 Aug 2020 20:11:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-and-sum-fourth-column-if-second-and-third-column/m-p/512879#M143869 kmorris_splunk 2020-08-06T20:11:06Z