How do I sum the total of appendcol results with o...

jamesbabugm · ‎01-05-2023

looking for a query to convert the results like this

I have a search to produce report using appendcols

a | b | c

5785|5731|100

want to get the report like this, basically trying to format the name of the fields along with apply sum/diff

Total of messagea | Total of messageb | Total of messagec | Diff of Total a and total b
5785|5731|100|54

This is the current query

kamlesh_vaghela · ‎01-05-2023

@jamesbabugm

You can eval the diff between total a & total b and then rename fields.

Like

index!= "internal " sourcetype="a" "messagea" | stats count as a |
appendcols [search index!= "internal" sourcetype="b" "messageb" | stats count as b ] |
appendcols [search index!= "internal" sourcetype="c" "messagec" | stats count as c ]
| eval diff = a - b
| table a b c diff
| rename a as "Total of Message a", b as "Total of Message b", c as "Total of Message c", diff as "Diff of Total a and Total b"

You can change the search as per your requirement.

https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Eval

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rename

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

How do I sum the total of appendcol results with option to format the field name?

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!