Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dynamically created columns with totals

swhitehead30
Engager
‎03-28-2018 11:03 AM

Hello,

I'm looking to accomplish a couple of things with the same query and am getting a little stuck. One search looks for all the SSO errors. Those results don't give me a way to see which customer is having issues so I piped that to a different search to be able to lookup the district name. (i'm sure there may be a easier more efficient way to do this and if you can help that would be awesome but is secondary to the next request)

Based on those results, I want to show district name, the number if times each error occurs, and the total number of errors.

Here's what I have so far...
host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS

This gives me a table that looks like:

|District_Name | S601 | S602 | S603 | etc. (dynamically expands)
|UniqueDistrict1| 1 | | |

I would like to be able to add a total to the last column to tally up the total number of errors.

0 Karma
Reply

swhitehead30
Engager
‎03-28-2018 11:19 AM

I may have worked this out and feel stupid for asking... 

`host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats  count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS |addtotals`

Just added the addtotals

0 Karma
Reply

elliotproebstel
Champion
‎03-28-2018 11:30 AM

No need to feel stupid. There are an incredible number of options and commands in Splunk, so it's easy to not know about some of them!

0 Karma
Reply

elliotproebstel
Champion
‎03-28-2018 11:18 AM

You should be able to just add | addtotals to the end of your search. This will take the sum of all numeric fields in a row and put that sum into a field called "Total". To customize, use the options documented here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Addtotals

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top