Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to transform row to column unique?

sjkalai
Explorer
‎06-06-2022 11:16 PM

I am new to Splunk, search query and return table values , I want change below table into second table format. 

convert to table into below format. percentage calculation is sum of 0-5% - Q1 row value/ sum of column total. How can achieve this. please help me . Thanks in advance

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 11:29 PM

Hi @sjkalai,

you should use the chart command (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Chart)

Only one question: how does the Serial field is in the calculation?

for each usage_range and quarter, do you want the count of the values or the distinct values of Serials?

if the count, please try something like this:

your_search
| chart count OVER usage_range BY quarter

if distinct_count of Serials

your_search
| chart dc(Serial) OVER usage_range BY quarter

Ciao.

Giuseppe

0 Karma
Reply

sjkalai
Explorer
‎06-07-2022 12:11 AM

Thank you for answer. @gcusello  I am already used chart i got table. but I want add a percentage calculation (Serial count *100 )/ sum (column -Q1) total. I want like this Serial count 10 (50%) is in column total 20. Ex (10*100)/20 = 50 %

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 12:28 AM

Hi @sjkalai,

you have to use a more complicated search that I cannot test, see my approach and adapt to your need:

your_search
| stats count BY usage_range quarter
| evenstats sum(count) AS quarter_total BY quarter
| eval perc=count*100/quarter_total 
| eval value_to_display=count." (".perc."%)"
| chart values(value_to_display) AS value_to_display OVER usage_range BY quarter

Ciao.

Giuseppe

Reply

sjkalai
Explorer
‎06-07-2022 05:38 AM

Hi @gcusello ,

Thanks its work. But I cannot add a column total in the last row because chart values are string. so we cannot use addtotals or addcoltotals commend.
 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 05:49 AM

Hi @sjkalai,

you could try to use the append command at the end of your search:

 

your_search
| stats count BY usage_range quarter
| evenstats sum(count) AS quarter_total BY quarter
| eval perc=count*100/quarter_total 
| eval value_to_display=count." (".perc."%)"
| chart values(value_to_display) AS value_to_display OVER usage_range BY quarter
| append [ search your_search | evenstats sum(count) AS quarter_total BY quarter ]

 

If this answer solves your need, please accept it for the other people of Community.

Ciao.

Giuseppe

P.S. Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...