Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dynamically created columns with totals

swhitehead30
Engager
‎03-28-2018 11:03 AM

Hello,

I'm looking to accomplish a couple of things with the same query and am getting a little stuck. One search looks for all the SSO errors. Those results don't give me a way to see which customer is having issues so I piped that to a different search to be able to lookup the district name. (i'm sure there may be a easier more efficient way to do this and if you can help that would be awesome but is secondary to the next request)

Based on those results, I want to show district name, the number if times each error occurs, and the total number of errors.

Here's what I have so far...
host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS

This gives me a table that looks like:

|District_Name | S601 | S602 | S603 | etc. (dynamically expands)
|UniqueDistrict1| 1 | | |

I would like to be able to add a total to the last column to tally up the total number of errors.

0 Karma
Reply

swhitehead30
Engager
‎03-28-2018 11:19 AM

I may have worked this out and feel stupid for asking... 

`host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats  count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS |addtotals`

Just added the addtotals

0 Karma
Reply

elliotproebstel
Champion
‎03-28-2018 11:30 AM

No need to feel stupid. There are an incredible number of options and commands in Splunk, so it's easy to not know about some of them!

0 Karma
Reply

elliotproebstel
Champion
‎03-28-2018 11:18 AM

You should be able to just add | addtotals to the end of your search. This will take the sum of all numeric fields in a row and put that sum into a field called "Total". To customize, use the options documented here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Addtotals

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top