https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91546#M23589 <P>yes, but it does not add a seperate column that just has the total of all the counts</P> Thu, 05 Jul 2012 14:26:38 GMT Michael_Schyma1 2012-07-05T14:26:38Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91538#M23581 <P>I am trying to get a running total for the number of events field. I can not get a column that adds up every 'number of events' or a running total anywhere at the bottom. Any Suggestions??</P> <P>Heres my search:</P> <P>*- fields + app_name, app_id |top app_id app_name |rename app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent" </P> Mon, 28 Sep 2020 12:01:45 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91538#M23581 Michael_Schyma1 2020-09-28T12:01:45Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91539#M23582 <P>any help would be appreachated</P> Thu, 05 Jul 2012 13:02:20 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91539#M23582 Michael_Schyma1 2012-07-05T13:02:20Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91540#M23583 <P>I doubt that is really your search. Did you paste the whole search or just portions of it?</P> Thu, 05 Jul 2012 13:07:55 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91540#M23583 Ayn 2012-07-05T13:07:55Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91541#M23584 <P>+1 Ayn, you'll need to copy and paste your whole search directly if you want any useful help.</P> Thu, 05 Jul 2012 13:10:36 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91541#M23584 Drainy 2012-07-05T13:10:36Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91542#M23585 <P>Just a portion of it.. I left off the index and the sourcetype because i didnt think it would be needed. </P> Thu, 05 Jul 2012 14:06:03 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91542#M23585 Michael_Schyma1 2012-07-05T14:06:03Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91543#M23586 <P>What about the part that generates the statistics? (the count and percent part) unless they are existing fields?</P> Thu, 05 Jul 2012 14:08:08 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91543#M23586 Drainy 2012-07-05T14:08:08Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91544#M23587 <P>They are existing fields, I need a total of the top events. Not just each individual event</P> Thu, 05 Jul 2012 14:10:01 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91544#M23587 Michael_Schyma1 2012-07-05T14:10:01Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91545#M23588 <P>so you need to use a | stats sum(count) ?</P> Thu, 05 Jul 2012 14:10:36 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91545#M23588 Drainy 2012-07-05T14:10:36Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91546#M23589 <P>yes, but it does not add a seperate column that just has the total of all the counts</P> Thu, 05 Jul 2012 14:26:38 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91546#M23589 Michael_Schyma1 2012-07-05T14:26:38Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91547#M23590 <P>so there is no way to just add a field that will give me a running total for all the events that I am searching for. When i add the sum feature it just takes me to a different screen and then gives me a total instead of having all the information listed and totaling in a different field. Thank you for your help, just having a hard time getting it to work. </P> Thu, 05 Jul 2012 14:30:58 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91547#M23590 Michael_Schyma1 2012-07-05T14:30:58Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91548#M23591 <P>Just as a suggestion, this search does a count for events with two distinct values, adds them together, and has the total as a new column.</P> <PRE><CODE> | stats count(eval(product="abc")) AS abc_count, count(eval(product="xyz")) AS xyz_count by product | eval total_products=abc_count+xyz_count | sort -total_products </CODE></PRE> <P>Sorry if this isn't what you're looking for, but hopefully it helps in some way.</P> <P>Also you might want to remove the regex tag.. I don't think this has much to do with regular expressions <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 05 Jul 2012 15:22:37 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91548#M23591 rturk 2012-07-05T15:22:37Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91549#M23592 <P>From the docs on <CODE>accum</CODE>:</P> <PRE><CODE>accum Keeps a running total of a specified numeric field. </CODE></PRE> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Accum">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Accum</A></P> Thu, 05 Jul 2012 15:30:35 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91549#M23592 Ayn 2012-07-05T15:30:35Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91550#M23593 <P>Sorry about that, i am not sure how that got there.</P> Thu, 05 Jul 2012 19:12:03 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91550#M23593 Michael_Schyma1 2012-07-05T19:12:03Z https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91551#M23594 <P>Nice! Another command that I wasn't previously aware existed <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 05 Jul 2012 23:21:46 GMT https://community.splunk.com/t5/Splunk-Search/Running-Total/m-p/91551#M23594 rturk 2012-07-05T23:21:46Z