Solved: Re: Can we display the total count of all fields i...

splunker9999 · ‎08-15-2016

Hi,

Is there any possibility to display total count of all fields inside a panel?

We have pie chart that displays 5 fields with some values for each. Now we need to display something like "total" may be at top of the panel or bottom of the panel.

Can you please suggest?

Thanks

martin_mueller · ‎08-15-2016

If you compute the total in your search like so | addtotals fieldname=_total, you can refer to $result._total$ in an HTML panel or a panel title.

Note, that's assuming you have one row with five columns. If you have five rows with one column, you'll need to use | eventstats sum(yourcolumn) as _total to compute the total.

View solution in original post

Arun_N_007 · ‎08-15-2016

Hi,

Please correct me if am wrong,

You need a total count in the same panel of a pie chart?

It can be done using single value and pie chart in the same panel, here you need to use post process search picking total for single value and other values for pie chart.

Ex:-

Base search

..|eventstats sum(count) as Total|table Source,count,Total

Dependent Search 1 (For Pie chart)

table Source,count

Dependent Search 2 (For Single Value)

stats values(Total) as Total|table Total

If you don't want you use single value.

Use Java Script to find a total and set a token to display in the html tag inside a panel.

sundareshr · ‎08-15-2016

You could do something like this... Here is an example with index=Internal but you should be able to adjust to your needs.

index=_internal sourcetype=splunkd_* | stats count by sourcetype | eventstats sum(count) as total | eval sourcetype=sourcetype." (".count."/".total.")" | fields - total

This will display the total in the field name

splunker9999 · ‎08-16-2016

Hi ,
Thanks, we are not looking to display in fieldname , instead some thing we are looking to display in title or some way inside panel is also fine?

Thanks

martin_mueller · ‎08-15-2016

If you compute the total in your search like so | addtotals fieldname=_total, you can refer to $result._total$ in an HTML panel or a panel title.

Note, that's assuming you have one row with five columns. If you have five rows with one column, you'll need to use | eventstats sum(yourcolumn) as _total to compute the total.

martin_mueller · ‎08-16-2016

Sigh... for some reason I pasted the wrong version - you'll need the preview search event handler, not progress... that one only has job properties. http://docs.splunk.com/Documentation/Splunk/6.4.2/Viz/EventHandlerReference#preview

splunker9999 · ‎08-16-2016

awesome...that works.

I used finalized.

Thank you very much.

martin_mueller · ‎08-16-2016

That's copied out of a working dashboard I built to check syntax etc., what exact XML are you using?

splunker9999 · ‎08-16-2016

Below is my sample xml code used for this dashboard.

<single>
             <title>$total$</title>
            <search>
              <query>index=imdc_vms (sourcetype=hadoop:app:opera) (host=lgpbdpv035* OR host=lgpbdpv535* )  return_message="SUCCESS"   |eval Platform =if(sourcetype=="hadoop:app:opera", "OPERA","Fingerprint")   | search  Platform="*"  | eval item ="Success Requests" | stats dc(request_id) as Count by item,Platform | append [search  index=imdc_vms sourcetype=hadoop:app:tomcat:access source="*localhost_access_log*" (host=lgpbdpv035* OR host=lgpbdpv535* OR host=lgpbdpv050* OR host=lgpbdpv550*)  ( method=POST OR method =GET)  (uri="*opera*" OR uri ="*fingerprint*" )  | eval Platform=if(match(uri,".*opera.*"),"OPERA", "Fingerprint")   | search  Platform="*"  | eval item ="Total Requests" | stats count(uri) as Count by item,Platform | eval t_req= Count  ]  | append [search  index=imdc_vms sourcetype="hadoop:app:tomcat:catalina" ( host=lgpbdpv050* OR host=lgpbdpv550*)  "Call to Response * took *"  |eval Platform =if(sourcetype=="hadoop:app:opera", "OPERA","Fingerprint")   | search  Platform="*"  | eval item ="Success Requests" | stats dc(request_id) as Count by item,Platform | eval s_req= Count  ] | append [search index=imdc_vms sourcetype=hadoop:app:opera (host=lgpbdpv035* OR host=lgpbdpv535* )  ( EventDesc ="Got Request*" OR (EventDesc ="*Finished processing for request map*" AND tt_total &gt;1000) )  |eval Platform =if(sourcetype=="hadoop:app:opera", "OPERA","Fingerprint")    | search  Platform="*"  | eval item ="Error Requests" | transaction host pub_guid startswith="Got Request*" endswith="*Finished processing for request map*" maxevents=2 |stats count as Count by item,Platform  ] | eval Platform = Platform +":"+ item +": "+ Count
                | table  Platform, Count| eventstats sum(Count) as total|fields - Platform Count|head 1
               </query>
              <progress>
             <set token="total">$result.total$</set>
           </progress>

martin_mueller · ‎08-16-2016

It seems I forgot one step, you need to make the token available outside your search. Here's a working example:

<panel>
  <title>$total$</title>
  <table>
    <search>
      <query>| tstats count where index=_internal by sourcetype | eventstats sum(count) as _total</query>
      <preview>
        <set token="total">$result._total$</set>
      </preview>
    </search>
  </table>
</panel>

splunker9999 · ‎08-16-2016

Hi tried this, value is not displaying in title, it is displaying as "$result._total$"?

splunker9999 · ‎08-16-2016

Hi, we have 5 rows with one column and i used the latter to my search.
| eventstats sum(yourcolumn) as _total

and tried calling this in my panel title $result._total$ as suggested, but value is not displaying in panel?

Is there anything need to do?

Thanks

skoelpin · ‎08-15-2016

This may be difficult. Check out this thread

https://answers.splunk.com/answers/91632/getting-a-count-of-the-number-of-fields-associated-with-a-s...

Can we display the total count of all fields inside a panel?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM