Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Combining Two Columns to Chart 3rd for Root Cause

AlexMcDuffMille
Communicator
‎10-17-2013 12:21 PM

I have a log that outputs a table every day of issues that occur between two parties. I'm able to split the output table into individual events so that I can graph the NumberofIssues by Party1 or Party2, but what I'm really looking for is the root cause, the 'common denominator'. I would like to show which party is the real one causing issues. I would like to graph the total NumberofIssues that any party is involved with regardless if it is listed under 'Party1' or 'Party2'.

An example of my data is:

Party1,Party2,NumberofIssues

A, D, 100

B, D, 200

C, D, 300

D, B, 400

E, A, 2

F, C, 3

Desired outcome:

A=102

B=600

C=303

D=1000

E=2

F=3

So now I would be able to make a column chart and easily spot that D is causing all sorts of issues.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-17-2013 01:50 PM

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-17-2013 01:50 PM

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total
Reply
Solved! Jump to solution

aholzer
Motivator
‎10-17-2013 01:27 PM

You may want to try to split the data into two sets and run a join on them. Something like this:

<base search> | table party1, NumberofIssues | rename party1 as id | join party2 [search <base search> | rename NumberofIssues as NumberofIssues2, party2 as id | table id, NumberofIssues2] | eval NewNumberOfIssues = NumberofIssues + NumberofIssues2 | table id, NewNumberOfIssues

You may need to use a full outer join rather than a simple join. But this should get you started.

Hope this helps

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...