Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a Total column (without using addtotals)

tread_splunk
Splunk Employee
Splunk Employee
‎10-01-2024 06:04 AM

Sometimes I set myself SPL conundrum challenges just to see how to solve them.  I realised I couldn't do something I thought would be quite straightforward.  For the dummy data below I want a single row resultset which tells me how many events of each UpgradeStatus and how  many events in total i.e.

TotalCompletedPendingProcessing
11632

  I don't know in advance what the different values of UpgradeStatus might be and I don't want to use addtotals (this is the challenge part).

I came up with the solution below which kinda "misuses" xyseries (which I'm strangely proud of) .  I feel like I'm missing a more straightforward solution, other than addtotals 🙂  Anyone up for the challenge?

Dummy data and solution (misusing xyseries) follows...

 

| makeresults format=csv data="ServerName,UpgradeStatus
Server1,Completed
Server2,Completed
Server3,Completed
Server4,Completed
Server5,Completed
Server6,Completed
Server7,Pending
Server8,Pending
Server9,Pending
Server10,Processing
Server11,Processing" 
| stats count by UpgradeStatus 
| eventstats sum(count) as Total 
| xyseries Total UpgradeStatus count

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-01-2024 07:30 AM

I tend to just use the by clause as the first mentioned field is used for the over field, but that's just a matter of style / preference. Since you can only specify two fields on a chart command, over and by is probably clearer.

In this example, the eventstats is a way of providing a single value for the "over" field so that you get a single row of statistics.

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-01-2024 07:18 AM

Alternatively you could just to a very ugly hack and name your field so it will be iterated over at the end and knowing it will be added to itself just divide it in half 😁

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-01-2024 06:50 AM

There isn't a search that can't be made uglier with foreach XD

| makeresults format=csv data="ServerName,UpgradeStatus
Server1,Completed
Server2,Completed
Server3,Completed
Server4,Completed
Server5,Completed
Server6,Completed
Server7,Pending
Server8,Pending
Server9,Pending
Server10,Processing
Server11,Processing"
| stats count by UpgradeStatus
| transpose 0 header_field=UpgradeStatus 
| fields - column
| eval Total=0
| foreach * 
    [ eval Total=Total+<<FIELD>> ]

 As an alternative you can also use appendpipe

| makeresults format=csv data="ServerName,UpgradeStatus
Server1,Completed
Server2,Completed
Server3,Completed
Server4,Completed
Server5,Completed
Server6,Completed
Server7,Pending
Server8,Pending
Server9,Pending
Server10,Processing
Server11,Processing"
| stats count by UpgradeStatus
| appendpipe 
    [ stats sum(count) as count 
    | eval UpgradeStatus="Total" ]
| transpose 0 header_field=UpgradeStatus
0 Karma
Reply
Solved! Jump to solution

tread_splunk
Splunk Employee
Splunk Employee
‎10-01-2024 07:04 AM

Nice work @PickleRick !  

Am I missing something?  I had previously tried with the delightful foreach command earlier but I can't get it to avoid double-counting the Total field.  So I end up with the Total equalling 22 - not the correct result of 11.  I get the same thing with your solution as well.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-01-2024 07:09 AM

Right you are. As usual, forgot about it.

Here's fixed version.

| makeresults format=csv data="ServerName,UpgradeStatus
Server1,Completed
Server2,Completed
Server3,Completed
Server4,Completed
Server5,Completed
Server6,Completed
Server7,Pending
Server8,Pending
Server9,Pending
Server10,Processing
Server11,Processing"
| stats count by UpgradeStatus
| transpose 0 header_field=UpgradeStatus 
| fields - column
| eval Total=0
| foreach *
    [ eval Total=Total+if("<<FIELD>>"=="Total",0,<<FIELD>>) ]
0 Karma
Reply
Solved! Jump to solution

tread_splunk
Splunk Employee
Splunk Employee
‎10-01-2024 07:18 AM

Aha!  That's how you avoid the double-count.  I've encountered this before.  Will definitely put this on file.  Thank you.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-01-2024 06:20 AM 
| makeresults format=csv data="ServerName,UpgradeStatus
Server1,Completed
Server2,Completed
Server3,Completed
Server4,Completed
Server5,Completed
Server6,Completed
Server7,Pending
Server8,Pending
Server9,Pending
Server10,Processing
Server11,Processing"
| eventstats count as Total
| chart count by Total UpgradeStatus
0 Karma
Reply
Solved! Jump to solution

tread_splunk
Splunk Employee
Splunk Employee
‎10-01-2024 07:15 AM

Oh @ITWhisperer That is sweet.

It helps me if I specify the over / by designation ... but hats off to you.

| eventstats count as Total
| chart count over Total by UpgradeStatus

Not looking forward to explaining to anyone how it works ... but work it does.  (I'll add it to my collection of misusing a command to get a result.   Got any others? 🙂)

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-01-2024 07:30 AM

I tend to just use the by clause as the first mentioned field is used for the over field, but that's just a matter of style / preference. Since you can only specify two fields on a chart command, over and by is probably clearer.

In this example, the eventstats is a way of providing a single value for the "over" field so that you get a single row of statistics.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...