topic How to edit my search to add subtotals for successful events by _time for every error? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-add-subtotals-for-successful-events-by/m-p/267477#M80475 <P>What I have:</P> <PRE><CODE>Time User count Error 2016-02-04 04:18:00 cinci 1 2016-02-04 04:18:01 cfl tampabay 2 2016-02-04 04:18:03 nc 4 2016-02-04 04:18:04 1 1 </CODE></PRE> <P>What I need:</P> <PRE><CODE>Time User count Error 2016-02-04 04:18:00 cinci 1 2016-02-04 04:18:01 cfl tampabay 2 2016-02-04 04:18:03 nc 4 Total users 7 2016-02-04 04:18:04 1 1 Time User count Error 2016-02-04 04:18:08 cinci 2 2016-02-04 04:18:10 cfl tampabay 2 2016-02-04 04:18:13 nc 4 Total users 8 .... ... ... </CODE></PRE> <P>..... so before every error, it has to give the total successful event counts based on user and timestamp.</P> <P>My search:</P> <PRE><CODE>index=prod user=* | fields user,_time | stats count by user,_time | stats values(user) as Domain,sum(count) as Total by _time | append [ search index=prod error="xyz" | stats count by error,_time | stats count(error) as Error,sum(count) as Total by _time] | sort _time </CODE></PRE> Thu, 04 Feb 2016 17:10:29 GMT shivarpith 2016-02-04T17:10:29Z How to edit my search to add subtotals for successful events by _time for every error? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-add-subtotals-for-successful-events-by/m-p/267477#M80475 <P>What I have:</P> <PRE><CODE>Time User count Error 2016-02-04 04:18:00 cinci 1 2016-02-04 04:18:01 cfl tampabay 2 2016-02-04 04:18:03 nc 4 2016-02-04 04:18:04 1 1 </CODE></PRE> <P>What I need:</P> <PRE><CODE>Time User count Error 2016-02-04 04:18:00 cinci 1 2016-02-04 04:18:01 cfl tampabay 2 2016-02-04 04:18:03 nc 4 Total users 7 2016-02-04 04:18:04 1 1 Time User count Error 2016-02-04 04:18:08 cinci 2 2016-02-04 04:18:10 cfl tampabay 2 2016-02-04 04:18:13 nc 4 Total users 8 .... ... ... </CODE></PRE> <P>..... so before every error, it has to give the total successful event counts based on user and timestamp.</P> <P>My search:</P> <PRE><CODE>index=prod user=* | fields user,_time | stats count by user,_time | stats values(user) as Domain,sum(count) as Total by _time | append [ search index=prod error="xyz" | stats count by error,_time | stats count(error) as Error,sum(count) as Total by _time] | sort _time </CODE></PRE> Thu, 04 Feb 2016 17:10:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-add-subtotals-for-successful-events-by/m-p/267477#M80475 shivarpith 2016-02-04T17:10:29Z Re: How to edit my search to add subtotals for successful events by _time for every error? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-add-subtotals-for-successful-events-by/m-p/267478#M80476 <P>Try something like this</P> <PRE><CODE>index=prod user=* | fields user,_time | stats count by user,_time | stats values(user) as Domain,sum(count) as Total by _time | append [ search index=prod error="xyz" | stats count by error,_time | stats count(error) as Error,sum(count) as Total by _time] | sort _time | eval temp=Error | fillnull temp value=0 | accum temp | appendpipe [| stats max(_time) as _time sum(Total) as Total by temp | eval Domain="***************Total Users"] | sort _time temp | fields - temp </CODE></PRE> Thu, 04 Feb 2016 18:23:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-add-subtotals-for-successful-events-by/m-p/267478#M80476 somesoni2 2016-02-04T18:23:07Z