https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142761#M39657 <P>HI, </P> <P>Can't seem to get this working. This is what I want, so I can do a multi stacked bar chart.<BR /> Columns:<BR /> Place, SubTotal 1, SubTotal 2, SubTotal 3, Grand Total.</P> <P>My lookup table will have 3 rows for each place.<BR /><BR /> Place, SubPlace 1<BR /> Place, SubPlace 2<BR /> Place SubPlace 3</P> <P>I have a search where I find sales amount by each SubPlace:</P> <PRE><CODE>mysearch| lookup sales_lookup SalesID as SalesID OUTPUT Place, SalesType | stats sum(SalesRevenue) as SalesTypeTotal by SalesType </CODE></PRE> <P>I can't figure out how to have it all on one row so I have : Place, SubTotal 1, SubTotal 2, SubTotal 3, Grand Total.</P> <P>Any ideas? This should be easy ...</P> <P>Chris</P> Thu, 04 Jun 2015 19:03:10 GMT chrisboy68 2015-06-04T19:03:10Z https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142761#M39657 <P>HI, </P> <P>Can't seem to get this working. This is what I want, so I can do a multi stacked bar chart.<BR /> Columns:<BR /> Place, SubTotal 1, SubTotal 2, SubTotal 3, Grand Total.</P> <P>My lookup table will have 3 rows for each place.<BR /><BR /> Place, SubPlace 1<BR /> Place, SubPlace 2<BR /> Place SubPlace 3</P> <P>I have a search where I find sales amount by each SubPlace:</P> <PRE><CODE>mysearch| lookup sales_lookup SalesID as SalesID OUTPUT Place, SalesType | stats sum(SalesRevenue) as SalesTypeTotal by SalesType </CODE></PRE> <P>I can't figure out how to have it all on one row so I have : Place, SubTotal 1, SubTotal 2, SubTotal 3, Grand Total.</P> <P>Any ideas? This should be easy ...</P> <P>Chris</P> Thu, 04 Jun 2015 19:03:10 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142761#M39657 chrisboy68 2015-06-04T19:03:10Z https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142762#M39658 <P>If I'm understanding your question correctly, I believe something like this should work:<BR /> | eval GrandTotal = SubTotal1+SubTotal2+SubTotal3<BR /> | table Place SubTotal1 SubTotal2 SubTotal3 GrandTotal</P> Thu, 04 Jun 2015 19:19:48 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142762#M39658 hogan24 2015-06-04T19:19:48Z https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142763#M39659 <P>Hmm, but I can't figure out how to do that in a search query. </P> <P>For example, considering I have 3 sales types for each Place named, subTotal1, SubTotal2 and SubTotal3, executing this query will return</P> <P>mysearch | lookup salesID_lookup SalesID as SalesID OUTPUT Place, SalesType | stats sum(SalesRevenue) as SalesTypeTotal by SalesType</P> <P>SubTotal1 1000<BR /> SubTotal2 1200<BR /> SubTotal2 1100</P> <P>What I want is:</P> <P>Place, SubTotal1, SubTotal2, SubTotal3, Grand Total.</P> <P>Where Grand Total is the total of all the SubTotals for each Place. Hope I'm explaining it correctly.</P> <P>Thank you</P> <P>Chris</P> Thu, 04 Jun 2015 19:45:41 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142763#M39659 chrisboy68 2015-06-04T19:45:41Z https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142764#M39660 <P>Ahh, I think I see what you're saying. You're getting multiple rows and you want to have 1 row with multiple columns, is that correct? If so, try piping the results to 'transpose' (| tranpose) and see if that puts you in the right direction. </P> Thu, 04 Jun 2015 19:49:09 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142764#M39660 hogan24 2015-06-04T19:49:09Z https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142765#M39661 <P>Here's another way that I think may be more what you're looking for:<BR /> | eval SubTotal1 = if(columnName=="SubTotal1", countColumnName, null)<BR /> | eval SubTotal2 = if(columnName=="SubTotal2", countColumnName, null)<BR /> | eval SubTotal3 = if(columnName=="SubTotal3", countColumnName, null)<BR /> | table SubTotal1 SubTotal2 SubTotal3<BR /> | stats sum(SubTotal1) as SubTotal1 sum(SubTotal2) as SubTotal2 sum(SubTotal3) as SubTotal3<BR /> | eval GrandTotal = SubTotal1+SubTotal2+SubTotal3</P> Thu, 04 Jun 2015 19:57:32 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142765#M39661 hogan24 2015-06-04T19:57:32Z https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142766#M39662 <P>Building off of your comment to @hogan24 above, you currently have: </P> <PRE><CODE>mysearch | lookup salesID_lookup SalesID as SalesID OUTPUT Place, SalesType | stats sum(SalesRevenue) as SalesTypeTotal by SalesType </CODE></PRE> <P>But you want the sum of each sales type over place grouped by SalesType, so instead of stats, lets start with trying <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/chart">chart</A> which can do exactly that. (aside: As needs change there are more esoteric ways of building such a table here such using stats followed by <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/xyseries">xyseries</A> which lets you do some interesting manipulations in between the two commands but that will be down the line when the basic chart command stops fitting your use case)</P> <PRE><CODE>mysearch | lookup salesID_lookup SalesID as SalesID OUTPUT Place, SalesType | chart sum(SalesRevenue) over Place by SalesType </CODE></PRE> <P>This should give you a result table like this:</P> <PRE><CODE> Place Type1 Type2 Type3 Somewhere 123 456 789 SomewhereElse 111 222 333 </CODE></PRE> <P>Now if you're wanting totals for each place, assuming the places are non-numeric that's as easy as then piping to <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Addtotals">addtotals</A> and playing with the options you want for example: </P> <PRE><CODE>mysearch | lookup salesID_lookup SalesID as SalesID OUTPUT Place, SalesType | chart sum(SalesRevenue) over Place by SalesType | addtotals col=true labelfield=Place </CODE></PRE> <P>Assuming we're building on the data from the last step this should now look like: </P> <PRE><CODE> Place Type1 Type2 Type3 Total Somewhere 123 456 789 1368 SomewhereElse 111 222 333 666 Total 234 678 1122 2034 </CODE></PRE> Thu, 04 Jun 2015 20:16:40 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142766#M39662 acharlieh 2015-06-04T20:16:40Z https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142767#M39663 <P>This didn't work. it made it close, but did not group the Place. For the same place, it duplicated a row for each SubTotal. </P> <P>This is what I'm looking for on one row:<BR /> Place, SubTotal1, SubTotal2, SubTotal3, Grand Total.</P> <P>Thanks for your help.</P> <P>Chris</P> Thu, 04 Jun 2015 20:18:52 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142767#M39663 chrisboy68 2015-06-04T20:18:52Z https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142768#M39664 <P>Ah , that was it, I needed "chart", not "stats"</P> <P>Thank you!</P> <P>Chris</P> Thu, 04 Jun 2015 20:29:50 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Stats-Amounts-using-a-Lookup-Table/m-p/142768#M39664 chrisboy68 2015-06-04T20:29:50Z