Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dynamically created columns with totals

swhitehead30
Engager
‎03-28-2018 11:03 AM

Hello,

I'm looking to accomplish a couple of things with the same query and am getting a little stuck. One search looks for all the SSO errors. Those results don't give me a way to see which customer is having issues so I piped that to a different search to be able to lookup the district name. (i'm sure there may be a easier more efficient way to do this and if you can help that would be awesome but is secondary to the next request)

Based on those results, I want to show district name, the number if times each error occurs, and the total number of errors.

Here's what I have so far...
host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS

This gives me a table that looks like:

|District_Name | S601 | S602 | S603 | etc. (dynamically expands)
|UniqueDistrict1| 1 | | |

I would like to be able to add a total to the last column to tally up the total number of errors.

0 Karma
Reply

swhitehead30
Engager
‎03-28-2018 11:19 AM

I may have worked this out and feel stupid for asking... 

`host=prod-* LOGGERCLASS=* IP=* District_Name=* School_Name=* OBID=* "MESSAGE=LOGIN_SUCCESS" | stats count as Logins by OBID, IP, District_Name, School_Name | join[ search LOGGERCLASS=SSO_LOGGER sourcetype=log4j SSOSTATUS=SSO_FAILURE | stats  count as SSO_ERRORS by IP, ERROR_CODE ] | xyseries District_Name ERROR_CODE SSO_ERRORS |addtotals`

Just added the addtotals

0 Karma
Reply

elliotproebstel
Champion
‎03-28-2018 11:30 AM

No need to feel stupid. There are an incredible number of options and commands in Splunk, so it's easy to not know about some of them!

0 Karma
Reply

elliotproebstel
Champion
‎03-28-2018 11:18 AM

You should be able to just add | addtotals to the end of your search. This will take the sum of all numeric fields in a row and put that sum into a field called "Total". To customize, use the options documented here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Addtotals

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top