Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining Two Columns to Chart 3rd for Root Cause

AlexMcDuffMille
Communicator
‎10-17-2013 12:21 PM

I have a log that outputs a table every day of issues that occur between two parties. I'm able to split the output table into individual events so that I can graph the NumberofIssues by Party1 or Party2, but what I'm really looking for is the root cause, the 'common denominator'. I would like to show which party is the real one causing issues. I would like to graph the total NumberofIssues that any party is involved with regardless if it is listed under 'Party1' or 'Party2'.

An example of my data is:

Party1,Party2,NumberofIssues

A, D, 100

B, D, 200

C, D, 300

D, B, 400

E, A, 2

F, C, 3

Desired outcome:

A=102

B=600

C=303

D=1000

E=2

F=3

So now I would be able to make a column chart and easily spot that D is causing all sorts of issues.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-17-2013 01:50 PM

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-17-2013 01:50 PM

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total
Reply
Solved! Jump to solution

aholzer
Motivator
‎10-17-2013 01:27 PM

You may want to try to split the data into two sets and run a join on them. Something like this:

<base search> | table party1, NumberofIssues | rename party1 as id | join party2 [search <base search> | rename NumberofIssues as NumberofIssues2, party2 as id | table id, NumberofIssues2] | eval NewNumberOfIssues = NumberofIssues + NumberofIssues2 | table id, NewNumberOfIssues

You may need to use a full outer join rather than a simple join. But this should get you started.

Hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...