Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sum of Total count in another column

goringop
Explorer
‎08-05-2020 06:52 AM

Hi 

Need help on my query, I want to achieve this kind of table shown below

What I want is to get the total_count value for each app by adding the values under count and get sum of it under total_count

 

appdest_portcounttotal_count
ssl10001
10020
13000
13006
22790
26107
443
44345
4		21
2
3
2
8
19
22
55
323		?
web-browsing

1000
21
443
5000
7788
80
8003
8080

2
3
4
7
1000
200
12
21		?

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-20-2020 02:03 PM

Sorry.  I misunderstood the request and read "total count" as a literal count.

I wrote an app that may help.  Check out the mvstats app at https://splunkbase.splunk.com/app/5198/

Use it like this: 

... | mvstats sum count as total_count
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-05-2020 07:08 AM

An eval should do it.

| stats values(dest_port) as dest_port count(bytes) as count by app
| eval total_count = mvcount(count)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

goringop
Explorer
‎08-05-2020 07:23 AM

@richgalloway 

it seems that the count for each dest_port where gone, then Im getting the total_count with a value of 1

goringop_0-1596637374491.png

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-05-2020 07:33 AM

Try getting the total count from dest_port.

| stats values(dest_port) as dest_port count(bytes) as count by app
| eval total_count = mvcount(dest_port)

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

goringop
Explorer
‎08-05-2020 07:41 AM

@richgalloway thanks for the reply but still not getting the correct value. please see below screenshot. Under the count column, I want to see all the value for each port then Under the total_count column I want to see the sum of counts for that specific app

goringop_0-1596638220253.png

 

 

0 Karma
Reply
Solved! Jump to solution

goringop
Explorer
‎08-05-2020 07:44 AM

@richgalloway 

a table something like this:

appdest_portcounttotal_count
ssl10001
10020
13000
13006
22790
26107
443
44345
4		21
2
3
2
8
19
22
55
323		455
web-browsing

1000
21
443
5000
7788
80
8003
8080

2
3
4
7
1000
200
12
21		1249
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-20-2020 02:03 PM

Sorry.  I misunderstood the request and read "total count" as a literal count.

I wrote an app that may help.  Check out the mvstats app at https://splunkbase.splunk.com/app/5198/

Use it like this: 

... | mvstats sum count as total_count
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

goringop
Explorer
‎08-25-2020 04:51 AM

@richgalloway thank you for this, I will install the app and get back to you

0 Karma
Reply
Solved! Jump to solution

goringop
Explorer
‎08-05-2020 07:10 AM

it works 🙂 thank you for your help

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...