Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining Two Columns to Chart 3rd for Root Cause

AlexMcDuffMille
Communicator
‎10-17-2013 12:21 PM

I have a log that outputs a table every day of issues that occur between two parties. I'm able to split the output table into individual events so that I can graph the NumberofIssues by Party1 or Party2, but what I'm really looking for is the root cause, the 'common denominator'. I would like to show which party is the real one causing issues. I would like to graph the total NumberofIssues that any party is involved with regardless if it is listed under 'Party1' or 'Party2'.

An example of my data is:

Party1,Party2,NumberofIssues

A, D, 100

B, D, 200

C, D, 300

D, B, 400

E, A, 2

F, C, 3

Desired outcome:

A=102

B=600

C=303

D=1000

E=2

F=3

So now I would be able to make a column chart and easily spot that D is causing all sorts of issues.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-17-2013 01:50 PM

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-17-2013 01:50 PM

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total
Reply
Solved! Jump to solution

aholzer
Motivator
‎10-17-2013 01:27 PM

You may want to try to split the data into two sets and run a join on them. Something like this:

<base search> | table party1, NumberofIssues | rename party1 as id | join party2 [search <base search> | rename NumberofIssues as NumberofIssues2, party2 as id | table id, NumberofIssues2] | eval NewNumberOfIssues = NumberofIssues + NumberofIssues2 | table id, NewNumberOfIssues

You may need to use a full outer join rather than a simple join. But this should get you started.

Hope this helps

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...