I ingested a .CSV into Splunk which contained some patching information derived from another system. The problem with the report is that it's producing multiple rows with the same patch information. I ran it through Splunk to see if I could clean it up some by using the following query:
index=patching sourcetype=patching
| stats count by Patch_History, Patch_Number, Count
| sort -Count
| stats list(Patch_History) as Count, list(Count) by Patch_Number
This query produced the following output:
I'd like to add a subtotal for each section. I've tried using | addcolumns fieldname=" ", etc., but am not getting the desired results. Any help is appreciated!
@itsmevic please try the following approach with eventstats to get the sum as Sub_Total and values()
or last() or first to show only one value for Sub_Total
index=patching sourcetype=patching
| stats count by Patch_History, Patch_Number, Count
| eventstats sum(Count) as Sub_Total by Patch_Number
| sort - Count
| stats list(Patch_History) as Patch_History, list(Count) as Count, values(Sub_Total) as Sub_Total by Patch_Number
@itsmevic please try the following approach with eventstats to get the sum as Sub_Total and values()
or last() or first to show only one value for Sub_Total
index=patching sourcetype=patching
| stats count by Patch_History, Patch_Number, Count
| eventstats sum(Count) as Sub_Total by Patch_Number
| sort - Count
| stats list(Patch_History) as Patch_History, list(Count) as Count, values(Sub_Total) as Sub_Total by Patch_Number
Boom! Nike, you are a lifesaver! Thank you! The output is exactly what I need!
@itsmevic you were so close that I am sure you would have got it yourself after tea/coffee or may be a nap 🙂
Keep Splunking!!!