Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Adding a column to a daily stats chart that adds up multiple fields

Bliide
Path Finder
‎07-17-2014 09:38 AM

I have a simple stats chart that shows a daily total with 6 fields. I would like to add a column that adds 3 of those fields together. I have tried and failed with addtotals and addcoltotals. It seems a simple task but I am somehow missing a concept. Here is one of the failed attempts:

mysearch* | stats sum(RuleCount) sum(NewInViolationCount) sum(NewHistoryCount) sum(NoChangeCount) sum(CodeMissingForRuleCount) sum(MeterDataMissingCount) by _time | sort -_time | rename _time as "Date Logged" | convert timeformat="%Y-%m-%d" ctime("Date Logged") | eval total=NewInViolationCount + NewHistoryCount + NoChangeCount | addtotals col=t fieldname=expected_total total

What am I missing? I just want a quick reference added to the chart. Three lines should always equaal the sum of the RuleCount line.

Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-17-2014 10:18 AM

You need to rename them in the stats, since stats is a field modifier command. The new field is actually "sum(RuleCount)" unless you rename it.

mysearch* | stats sum(RuleCount) AS RuleCount sum(NewInViolationCount) AS NewInViolationCount sum(NewHistoryCount) AS NewHistoryCount sum(NoChangeCount) AS NoChangeCount sum(CodeMissingForRuleCount) AS CodeMissingForRuleCount sum(MeterDataMissingCount) AS MeterDataMissingCount by _time | sort -_time  | rename _time as "Date Logged" | convert timeformat="%Y-%m-%d" ctime("Date Logged") | eval total=NewInViolationCount + NewHistoryCount + NoChangeCount | addtotals col=t fieldname=expected_total total

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-17-2014 10:18 AM

You need to rename them in the stats, since stats is a field modifier command. The new field is actually "sum(RuleCount)" unless you rename it.

mysearch* | stats sum(RuleCount) AS RuleCount sum(NewInViolationCount) AS NewInViolationCount sum(NewHistoryCount) AS NewHistoryCount sum(NoChangeCount) AS NoChangeCount sum(CodeMissingForRuleCount) AS CodeMissingForRuleCount sum(MeterDataMissingCount) AS MeterDataMissingCount by _time | sort -_time  | rename _time as "Date Logged" | convert timeformat="%Y-%m-%d" ctime("Date Logged") | eval total=NewInViolationCount + NewHistoryCount + NoChangeCount | addtotals col=t fieldname=expected_total total
Reply
Solved! Jump to solution

Bliide
Path Finder
‎07-17-2014 11:26 AM

Thank you very much!

0 Karma
Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎07-17-2014 11:15 AM

Change: | addtotals col=f fieldname=expected_total total

Also, please accept as answered if I have done so. Thanks!

Reply
Solved! Jump to solution

Bliide
Path Finder
‎07-17-2014 11:05 AM

That worked great, thank you. It creates a new question however. In the column that is now generated with the sum of those 3 fields it has a total number listed at the bottom of the column. Is there way to remove that listing from the bottom of that line in the table?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...