How do I sum the total of appendcol results with o...

jamesbabugm · ‎01-05-2023

looking for a query to convert the results like this

I have a search to produce report using appendcols

a | b | c

5785|5731|100

want to get the report like this, basically trying to format the name of the fields along with apply sum/diff

Total of messagea | Total of messageb | Total of messagec | Diff of Total a and total b
5785|5731|100|54

This is the current query

kamlesh_vaghela · ‎01-05-2023

@jamesbabugm

You can eval the diff between total a & total b and then rename fields.

Like

index!= "internal " sourcetype="a" "messagea" | stats count as a |
appendcols [search index!= "internal" sourcetype="b" "messageb" | stats count as b ] |
appendcols [search index!= "internal" sourcetype="c" "messagec" | stats count as c ]
| eval diff = a - b
| table a b c diff
| rename a as "Total of Message a", b as "Total of Message b", c as "Total of Message c", diff as "Diff of Total a and Total b"

You can change the search as per your requirement.

https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Eval

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rename

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

How do I sum the total of appendcol results with option to format the field name?

stats

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?