https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99851#M25767 <P>So, you want a count split by app_id and app_name, plus a total count, with that count at the top?</P> <P>How about</P> <PRE><CODE>... | stats count as "Total Count" | append [search ... | top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"] </CODE></PRE> Mon, 28 Sep 2020 12:05:43 GMT Ayn 2020-09-28T12:05:43Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99850#M25766 <P>I can not figure out how to get the sum of all the information at the top without changing the other fields around. I really just want a sum, but i can not seem to get the stats sum function to work. <BR /> |top limit=0 app_id app_name | fields + count, total_count, percent,app_name, app_id | accum count AS total_count | rename total_count AS "Total Count" app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"</P> <P>Any help would be appreciated, i am just not sure where to go from here i just need a total of all not necessarily a running total</P> Mon, 28 Sep 2020 12:05:40 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99850#M25766 Michael_Schyma1 2020-09-28T12:05:40Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99851#M25767 <P>So, you want a count split by app_id and app_name, plus a total count, with that count at the top?</P> <P>How about</P> <PRE><CODE>... | stats count as "Total Count" | append [search ... | top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"] </CODE></PRE> Mon, 28 Sep 2020 12:05:43 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99851#M25767 Ayn 2020-09-28T12:05:43Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99852#M25768 <P>I was a total count field that will either display one number of all the events, or a running total that will display the total at the top instead of the bottom.</P> Mon, 16 Jul 2012 13:44:49 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99852#M25768 Michael_Schyma1 2012-07-16T13:44:49Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99853#M25769 <P>So, does my answer satisfy that requirement?</P> Mon, 16 Jul 2012 14:04:54 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99853#M25769 Ayn 2012-07-16T14:04:54Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99854#M25770 <P>maybe i am just wording it wrong. I just want a total number of events and i can not get it. with your code i get search operation 'app' is unknown</P> Mon, 16 Jul 2012 14:48:11 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99854#M25770 Michael_Schyma1 2012-07-16T14:48:11Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99855#M25771 <P>You should be getting a total number of events if you issue the search correctly. Could you show the complete search that you're using now?</P> Mon, 16 Jul 2012 15:06:32 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99855#M25771 Ayn 2012-07-16T15:06:32Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99856#M25772 <P>index=hik sourcetype="MainframeApps" | stats count as "Total Count" | append [search index=hik sourcetype="MainframeApps"| top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]</P> Mon, 28 Sep 2020 12:05:45 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99856#M25772 Michael_Schyma1 2020-09-28T12:05:45Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99857#M25773 <P>Ah, sorry, my bad - I seem to have left out a "rename" after the last pipe in my search.</P> <PRE><CODE>index=hik sourcetype="MainframeApps" | stats count as "Total Count" | append [search index=hik sourcetype="MainframeApps"| top limit=0 app_id app_name | rename app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"] </CODE></PRE> Mon, 16 Jul 2012 15:29:46 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99857#M25773 Ayn 2012-07-16T15:29:46Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99858#M25774 <P>Thank you, I wanted to add the total count to the other fields that were in there and it doesnt seem to want to let me do that. it takes all the other fields away and just gives me a count total instead of adding to the chart that i already have.</P> Mon, 16 Jul 2012 15:37:31 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99858#M25774 Michael_Schyma1 2012-07-16T15:37:31Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99859#M25775 <P>I think you need to post screenshots and more details if we're to have any chance of understanding what you want. I thought I understood, but it seems I was wrong. You said previously that you wanted a total count at the top, but now you're saying that you want to add it to other fields (what fields? where?). It gives you a total count (wasn't that what you wanted?) and takes other fields away (how? are you not seeing any other rows than the one with the total count?)</P> Mon, 16 Jul 2012 15:41:33 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99859#M25775 Ayn 2012-07-16T15:41:33Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99860#M25776 <P>I do want a total count feild that populates how many events are generated from our system. I dont understand how i am not seeing any other fields but a total count when i add the stat function. I just wanted to add the total field to what i had originally. I can not take screenshots here.</P> Mon, 16 Jul 2012 15:46:06 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99860#M25776 Michael_Schyma1 2012-07-16T15:46:06Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99861#M25777 <P>In that case I'm afraid I can't help you more without understanding your requirement and how it is not being met. In my environment when I issue a very similar query I get a row with a "Total count" in the first column, followed by a number of rows containing the statistics generated by <CODE>top</CODE>.</P> Mon, 16 Jul 2012 16:10:49 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99861#M25777 Ayn 2012-07-16T16:10:49Z https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99862#M25778 <P>Thank you for trying, i dont know why i am not getting the same results</P> Mon, 16 Jul 2012 16:24:03 GMT https://community.splunk.com/t5/Splunk-Search/Reverse-running-total-sum-needed/m-p/99862#M25778 Michael_Schyma1 2012-07-16T16:24:03Z