Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a column to a daily stats chart that adds up multiple fields

Bliide
Path Finder
‎07-17-2014 09:38 AM

I have a simple stats chart that shows a daily total with 6 fields. I would like to add a column that adds 3 of those fields together. I have tried and failed with addtotals and addcoltotals. It seems a simple task but I am somehow missing a concept. Here is one of the failed attempts:

mysearch* | stats sum(RuleCount) sum(NewInViolationCount) sum(NewHistoryCount) sum(NoChangeCount) sum(CodeMissingForRuleCount) sum(MeterDataMissingCount) by _time | sort -_time | rename _time as "Date Logged" | convert timeformat="%Y-%m-%d" ctime("Date Logged") | eval total=NewInViolationCount + NewHistoryCount + NoChangeCount | addtotals col=t fieldname=expected_total total

What am I missing? I just want a quick reference added to the chart. Three lines should always equaal the sum of the RuleCount line.

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-17-2014 10:18 AM

You need to rename them in the stats, since stats is a field modifier command. The new field is actually "sum(RuleCount)" unless you rename it.

mysearch* | stats sum(RuleCount) AS RuleCount sum(NewInViolationCount) AS NewInViolationCount sum(NewHistoryCount) AS NewHistoryCount sum(NoChangeCount) AS NoChangeCount sum(CodeMissingForRuleCount) AS CodeMissingForRuleCount sum(MeterDataMissingCount) AS MeterDataMissingCount by _time | sort -_time  | rename _time as "Date Logged" | convert timeformat="%Y-%m-%d" ctime("Date Logged") | eval total=NewInViolationCount + NewHistoryCount + NoChangeCount | addtotals col=t fieldname=expected_total total

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-17-2014 10:18 AM

You need to rename them in the stats, since stats is a field modifier command. The new field is actually "sum(RuleCount)" unless you rename it.

mysearch* | stats sum(RuleCount) AS RuleCount sum(NewInViolationCount) AS NewInViolationCount sum(NewHistoryCount) AS NewHistoryCount sum(NoChangeCount) AS NoChangeCount sum(CodeMissingForRuleCount) AS CodeMissingForRuleCount sum(MeterDataMissingCount) AS MeterDataMissingCount by _time | sort -_time  | rename _time as "Date Logged" | convert timeformat="%Y-%m-%d" ctime("Date Logged") | eval total=NewInViolationCount + NewHistoryCount + NoChangeCount | addtotals col=t fieldname=expected_total total
Reply
Solved! Jump to solution

Bliide
Path Finder
‎07-17-2014 11:26 AM

Thank you very much!

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-17-2014 11:15 AM

Change: | addtotals col=f fieldname=expected_total total

Also, please accept as answered if I have done so. Thanks!

Reply
Solved! Jump to solution

Bliide
Path Finder
‎07-17-2014 11:05 AM

That worked great, thank you. It creates a new question however. In the column that is now generated with the sum of those 3 fields it has a total number listed at the bottom of the column. Is there way to remove that listing from the bottom of that line in the table?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...