Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining Two Columns to Chart 3rd for Root Cause

AlexMcDuffMille
Communicator
‎10-17-2013 12:21 PM

I have a log that outputs a table every day of issues that occur between two parties. I'm able to split the output table into individual events so that I can graph the NumberofIssues by Party1 or Party2, but what I'm really looking for is the root cause, the 'common denominator'. I would like to show which party is the real one causing issues. I would like to graph the total NumberofIssues that any party is involved with regardless if it is listed under 'Party1' or 'Party2'.

An example of my data is:

Party1,Party2,NumberofIssues

A, D, 100

B, D, 200

C, D, 300

D, B, 400

E, A, 2

F, C, 3

Desired outcome:

A=102

B=600

C=303

D=1000

E=2

F=3

So now I would be able to make a column chart and easily spot that D is causing all sorts of issues.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-17-2013 01:50 PM

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-17-2013 01:50 PM

Try this:

yoursearchhere
| eval Party = Party1 + "," + Party2
| makemv delim="," Party
| mvexpand Party
| stats sum(NumberOfIssues) as Total by Party
| sort -Total
Reply
Solved! Jump to solution

aholzer
Motivator
‎10-17-2013 01:27 PM

You may want to try to split the data into two sets and run a join on them. Something like this:

<base search> | table party1, NumberofIssues | rename party1 as id | join party2 [search <base search> | rename NumberofIssues as NumberofIssues2, party2 as id | table id, NumberofIssues2] | eval NewNumberOfIssues = NumberofIssues + NumberofIssues2 | table id, NewNumberOfIssues

You may need to use a full outer join rather than a simple join. But this should get you started.

Hope this helps

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...