https://community.splunk.com/t5/Splunk-Search/adding-value-output-rows-from-a-stats-table/m-p/568633#M198167 <P>appendpipe sounds great but it won't work that straightforward with multivalued fields.</P><P>I can't seem to be able to do a "dynamic addressing" of multivalued fields so I could mvfind a position in one list and find a value in another one (something like field.(mvfind(another_field,"value")) - it doesn't work).</P><P>Furthermore, expanding mvfields with mvexpand - well, you can't do it "pairwise". You could do mvzip to produce pairs but it's getting even more ugly and you still have filtering ahead of you. Ugly as hell.</P><P>So I'd rather skip the "stats list" from the original search. Or at least moved it way to the end - until all the calculations are complete.</P> Mon, 27 Sep 2021 23:22:55 GMT PickleRick 2021-09-27T23:22:55Z https://community.splunk.com/t5/Splunk-Search/adding-value-output-rows-from-a-stats-table/m-p/568584#M198158 <P>I have the following search.&nbsp;</P><P>index=main_index sourcetype="hec:google" operationName=createMobileAuthenticationOutcome direction=response source="customers-mobile-authentications-v1"<BR />| dedup correlationId<BR />| stats count by eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType eventData.log{}.downstreamRequestAdditionalLog.request.authenticationOutcome<BR />| sort -count<BR />| eventstats sum(count) as tot by eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType<BR />| eval perc = round(count/tot*100,1)<BR />| stats list(eventData.log{}.downstreamRequestAdditionalLog.request.authenticationOutcome) as "OutCome Request Details" list(count) as Count, list(perc) as "% per Auth Type" by eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType<BR />| appendpipe<BR />[ stats sum(Count) as Count, sum("% per Auth Type") as "% per Auth Type" by eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType<BR />| eval "OutCome Request Details" = "Total Request"]<BR />| sort eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType<BR />| rename eventData.log{}.downstreamRequestAdditionalLog.request.applicationEntryType as "Auth Type"<BR /><BR /></P><P>which shows this table. But....&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3DS MI Report Stats Table.JPG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16171i0BFEB05E2D1A914D/image-size/large?v=v2&amp;px=999" role="button" title="3DS MI Report Stats Table.JPG" alt="3DS MI Report Stats Table.JPG" /></span></P><P>What I want to do is add another row for the total number of directOpenApp.Completed and pushNotifications.Completed</P><P>I've tried addtotals and can't get my head around appendcols.</P><P>Thanks</P><P>r</P> Mon, 27 Sep 2021 16:57:43 GMT https://community.splunk.com/t5/Splunk-Search/adding-value-output-rows-from-a-stats-table/m-p/568584#M198158 rhallinan 2021-09-27T16:57:43Z https://community.splunk.com/t5/Splunk-Search/adding-value-output-rows-from-a-stats-table/m-p/568626#M198164 <P>It sounds like you're wanting to add a subtotal column.&nbsp; If so, see the examples for the <FONT face="courier new,courier">appendpipe</FONT> command (<A href="https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Appendpipe#Examples" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/Appendpipe#Examples</A>) for how to that.</P> Mon, 27 Sep 2021 21:06:34 GMT https://community.splunk.com/t5/Splunk-Search/adding-value-output-rows-from-a-stats-table/m-p/568626#M198164 richgalloway 2021-09-27T21:06:34Z https://community.splunk.com/t5/Splunk-Search/adding-value-output-rows-from-a-stats-table/m-p/568633#M198167 <P>appendpipe sounds great but it won't work that straightforward with multivalued fields.</P><P>I can't seem to be able to do a "dynamic addressing" of multivalued fields so I could mvfind a position in one list and find a value in another one (something like field.(mvfind(another_field,"value")) - it doesn't work).</P><P>Furthermore, expanding mvfields with mvexpand - well, you can't do it "pairwise". You could do mvzip to produce pairs but it's getting even more ugly and you still have filtering ahead of you. Ugly as hell.</P><P>So I'd rather skip the "stats list" from the original search. Or at least moved it way to the end - until all the calculations are complete.</P> Mon, 27 Sep 2021 23:22:55 GMT https://community.splunk.com/t5/Splunk-Search/adding-value-output-rows-from-a-stats-table/m-p/568633#M198167 PickleRick 2021-09-27T23:22:55Z