topic Re: How to Calculate the sum of values from a chart and create a field specifying that total of those values in Splunk Search

How to Calculate the sum of values from a chart and create a field specifying that total of those values

theouhuios — Mon, 15 Oct 2012 14:51:10 GMT

Hello

I am trying to create a total of values in different fields and add it to the output as a different field. I am able to get the value of different fields but got stuck on how to add them.

sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId   |stats count by record.priority|

This is the command which I used to get the data. The data now is

record.priority     count
1                        6
2                    7568
3                    6346
4                    68

Now I wanted to add another field with a total of all the count values in the same chart.

Anyone has an idea on how to do that? Is there any other method where I can first get the whole total of the count in a bar chart for a 31 day period and then probably draw the graph with different priority fields which gives the information about each priority with a count of incidents created per day?

Regards

-theou

Re: How to Calculate the sum of values from a chart and create a field specifying that total of those values

kristian_kolb — Mon, 15 Oct 2012 15:22:16 GMT

You should probably look at the addcoltotals command;

your_search_here | addcoltotals labelfield=record.priority label="Total count"

See the docs here:
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Addcoltotals

For the second part of your query, I don't really understand how you want the output, but try;

sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId  | timechart span=1d count by record.priority

You can paste the search (or write a new one from scratch) into the Advanced Charting view (under the "Dashboards & Views" menu), and play around with the visualization options.

Hope this helps,

Kristian

Re: How to Calculate the sum of values from a chart and create a field specifying that total of those values

gkanapathy — Mon, 15 Oct 2012 15:28:15 GMT

that or eventstats

Re: How to Calculate the sum of values from a chart and create a field specifying that total of those values

kristian_kolb — Mon, 15 Oct 2012 15:33:56 GMT

true, addcoltotals does not create a new field per se, but I gathered that the real request was more for presentation purposes.

Re: How to Calculate the sum of values from a chart and create a field specifying that total of those values

theouhuios — Mon, 15 Oct 2012 15:51:50 GMT

Hmm.. The timechart is the way which i am doing as of now. But I am trying to see if I can actually use multiple visualizations on a single dashboard. Like a bar chart mentioning the total count of incidents and then a line chart upon the bar chart which graphs according to number of incidents and the priority of the incident.

Re: How to Calculate the sum of values from a chart and create a field specifying that total of those values

theouhuios — Mon, 15 Oct 2012 19:04:49 GMT

Used the addtotals command to get a total value. Then used fields to remove the redundant fields which weren't needed.

Thanks for all your help.