Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Knowledge Management
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Need help to get total count
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help to get total count
vishwa
Path Finder
04-12-2024
06:52 PM
index=app-index source=application.logs
| rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
| rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
| chart count over RampdataSet by MessageOUTPUT:
| RampdataSet | Initial message received with below details | Letter published correctley to ATM subject | Letter published correctley to DMM subject | Letter rejected due to: DOUBLE_KEY | Letter rejected due to: UNVALID_LOG | Letter rejected due to: UNVALID_DATA_APP |
| WAC | 10 | 0 | 0 | 10 | 0 | 10 |
| WAX | 30 | 15 | 15 | 60 | 15 | 60 |
| WAM | 22 | 20 | 20 | 62 | 20 | 62 |
| STC | 33 | 12 | 12 | 57 | 12 | 57 |
| STX | 66 | 30 | 0 | 96 | 0 | 96 |
| OTP | 20 | 10 | 0 | 30 | 0 | 30 |
| TTC | 0 | 5 | 0 | 5 | 0 | 5 |
| TAN | 0 | 7 | 0 | 7 | 0 | 7 |
But we want output as shown below:
Total="Letter published correctley to ATM subject" + "Letter published correctley to DMM subject" + "Letter published correctley to DMM subject" + "Letter rejected due to: DOUBLE_KEY" + "Letter rejected due to: UNVALID_LOG" + "Letter rejected due to: UNVALID_DATA_APP"
|table "Initial message received with below details" Total
| RampdataSet | Initial message received with below details | Total |
| WAC | 10 | 20 |
| WAX | 30 | 165 |
| WAM | 22 | 184 |
| STC | 33 | 150 |
| STX | 66 | 222 |
| OTP | 20 | 70 |
| TTC | 0 | 15 |
| TAN | 0 | 21 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
04-12-2024
10:17 PM
Hi @vishwa
you can use eval (https://docs.splunk.com/Documentation/SCS/current/SearchReference/EvalCommandOverview) or addtotal (https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Addtotals), something like this:
index=app-index source=application.logs
| rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
| rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
| chart count over RampdataSet by Message
| eval Total="Letter published correctley to ATM subject" + "Letter published correctley to DMM subject" + "Letter published correctley to DMM subject" + "Letter rejected due to: DOUBLE_KEY" + "Letter rejected due to: UNVALID_LOG" + "Letter rejected due to: UNVALID_DATA_APP"
| table "Initial message received with below details" TotalCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishwa
Path Finder
04-13-2024
11:09 AM
Hi @gcusello We tried the query you provided eval command, but it not working output is:
| RampdataSet | Initial message received with below details | Total |
| WAC | 10 | Letter published correctley to ATM subject |
| WAX | 30 | Letter published correctley to DMM subject |
| WAM | 22 | Letter rejected due to: DOUBLE_KEY |
| STC | 33 | Letter rejected due to: UNVALID_LOG |
| STX | 66 | Letter rejected due to: UNVALID_DATA_APP |
We tried addtotals as well, pls see the output:
| RampdataSet | Initial message received with below details | Total |
| WAC | 20 | |
| WAX | 165 | |
| WAM | 184 | |
| STC | 150 | |
| STX | 222 | |
| OTP | 70 | |
| TTC | 15 | |
| TAN | 21 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
04-13-2024
10:21 PM
Hi @vishwa ,
if you run your search, have you the table you shared?
if yes, using the eval I hinted you sum the values ot the columns in the Total value.
You could also use addtotals command that sums all the values for each row:
index=app-index source=application.logs
| rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
| rex field= _raw "(?<Message>Initial message received with below details|Letter published correctley to ATM subject|Letter published correctley to DMM subject|Letter rejected due to: DOUBLE_KEY|Letter rejected due to: UNVALID_LOG|Letter rejected due to: UNVALID_DATA_APP)"
| chart count over RampdataSet by Message
| addtotals But also in this case que question is: does your search extract the value for each column?
Ciao.
Giuseppe
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
