- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Dynamically created columns with totals
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dynamically created columns with totals
Hello,
I'm looking to accomplish a couple of things with the same query and am getting a little stuck. One search looks for all the SSO errors. Those results don't give me a way to see which customer is having issues so I piped that to a different search to be able to lookup the district name. (i'm sure there may be a easier more efficient way to do this and if you can help that would be awesome but is secondary to the next request)
Based on those results, I want to show district name, the number if times each error occurs, and the total number of errors.
Here's what I have so far...
host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS
This gives me a table that looks like:
|District_Name | S601 | S602 | S603 | etc. (dynamically expands)
|UniqueDistrict1| 1 | | |
I would like to be able to add a total to the last column to tally up the total number of errors.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I may have worked this out and feel stupid for asking...
`host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS |addtotals`
Just added the addtotals
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need to feel stupid. There are an incredible number of options and commands in Splunk, so it's easy to not know about some of them!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to just add | addtotals to the end of your search. This will take the sum of all numeric fields in a row and put that sum into a field called "Total". To customize, use the options documented here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Addtotals
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
