How do I sum the total of appendcol results with o...

jamesbabugm · ‎01-05-2023

looking for a query to convert the results like this

I have a search to produce report using appendcols

a | b | c

5785|5731|100

want to get the report like this, basically trying to format the name of the fields along with apply sum/diff

Total of messagea | Total of messageb | Total of messagec | Diff of Total a and total b
5785|5731|100|54

This is the current query

kamlesh_vaghela · ‎01-05-2023

@jamesbabugm

You can eval the diff between total a & total b and then rename fields.

Like

index!= "internal " sourcetype="a" "messagea" | stats count as a |
appendcols [search index!= "internal" sourcetype="b" "messageb" | stats count as b ] |
appendcols [search index!= "internal" sourcetype="c" "messagec" | stats count as c ]
| eval diff = a - b
| table a b c diff
| rename a as "Total of Message a", b as "Total of Message b", c as "Total of Message c", diff as "Diff of Total a and Total b"

You can change the search as per your requirement.

https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Eval

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rename

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

How do I sum the total of appendcol results with option to format the field name?

stats

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

How do I sum the total of appendcol results with option to format the field name?

stats

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console