topic how to do append after a |stats sum(fields) in Splunk Search

how to do append after a |stats sum(fields)

dtccsundar — Mon, 04 Oct 2021 06:26:03 GMT

Hi,

Below is my search ,

index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True False |eval comp="Test1"

|append [|search index=cc sourcetype=dd|eval comp="Test2"]

|eventstats count as total_count by comp
|stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp
|eval "True %"=round((('True'+'Excluded')/total*100),2)
|eval "False %"=round((('False'+'Error')/total*100),2)

| sort sort_field |fields - sort_field
|table Comp "True %" "False %"

The result which is get is ,

Comp True % False %

Test1 0 0

Test2 93.00 7.00

I have to get the actual % for Test1 too . Iam getting "0 " .Not sure my append is wrong with stats Sum() .

Please can any one give me right way to get the values for the above search .

Re: how to do append after a |stats sum(fields)

ITWhisperer — Mon, 04 Oct 2021 07:11:09 GMT

This line:

index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True False |eval comp="Test1"

will give you True False and comp fields

This line

|stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp

is based on the value of Status - this no longer exists for comp="Test1" which is why you are getting zeroes

Re: how to do append after a |stats sum(fields)

dtccsundar — Mon, 04 Oct 2021 09:21:58 GMT

Thank you ITWhisperer

Is there a way to achieve this ? Whether i can create a new field Status and bring the values into that field ?

Please tell me if there a way available to do this too.

Re: how to do append after a |stats sum(fields)

ITWhisperer — Mon, 04 Oct 2021 09:34:10 GMT

Try something like this

Re: how to do append after a |stats sum(fields)

dtccsundar — Tue, 05 Oct 2021 07:22:58 GMT

Thank you .This works great !!

Re: how to do append after a |stats sum(fields)

dtccsundar — Tue, 05 Oct 2021 10:53:26 GMT

Following this , i am in need of a column which should show barchart for (False % and True%) each comp values .

Ex :

Comp True% False% Barchart

Test1 55 45 corresponding % bar chart

Test2 66 34 corresponding % bar chart

This is the requirement from client, Can you help me please .