topic Re: Adding a row that is the sum of the events for each specific time to a table in Splunk Search

Adding a row that is the sum of the events for each specific time to a table

learningsplunk — Mon, 30 Aug 2021 05:17:51 GMT

Is this possible to transform a data set from :

Time	User	Number of Errors
9 pm	Josh	2
9 pm	Andy	1
10 pm	Josh	0
10 pm	Andy	1
11 pm	Josh	1
11 pm	Andy	3

to :

Time	User	Number of Errors
9 pm	Josh	2
9 pm	Andy	1
9 pm	Total Number of Errors	3
10 pm	Josh	0
10 pm	Andy	1
10 pm	Total Number of Errors	1
11 pm	Josh	1
11 pm	Andy	3
11 pm	Total Number of Errors	4

?

I've tried to use :

<insert index here> | convert num("Number of Errors") as NumberofErrors |eval Total_Number_of_Errors= Josh + Andy |table Time User Number of Errors

However its erroring out when i try to run this query .

Re: Adding a row that is the sum of the events for each specific time to a table

PickleRick — Mon, 30 Aug 2021 08:39:55 GMT

Use appendpipe.

| makeresults | eval _raw="Time,User,Number
9pm,Josh,2
9pm,Andy,13
10pm,Josh,1
10pm,Andy,2
10pm,Joseph,1" | multikv noheader=f | table Time User Number 
| appendpipe 
[stats sum(Number) as Number by Time 
| eval User="Total"] 
| sort Time

Of course in order to have the "Total" row at the end of each section, you need either to name it so it's always sortable at the end or add additional field to sort by.

Re: Adding a row that is the sum of the events for each specific time to a table

learningsplunk — Mon, 30 Aug 2021 17:12:10 GMT

@PickleRick , Thanks ! Thought i had to start creating 2 different charts and the combining them both using a union to get a total count for this. The

| appendpipe

Splunk transforming command exactly addresses that issue.