Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count one column, sum another, display average on a third then display group by columns

benj851
Explorer
‎10-19-2020 08:23 AM

Hello; 

I'm a bit stuck and looking for assistance. 

Base query returns the following values: Brand SystemId ResponseStatus Amount UniqueIdentifier

I would like to perform work to make the query return stats on top of it:
1. Count the UniqueIdentifier in a new column.
2. Sum the Amount grouping by Brand SystemId ResponseStatus
3. Percent of Total Sum(Amount) by Brand SystemId ResponseStatus
4. Percent of Total count(UniqueIdentifier) by Brand SystemId ResponseStatus

Then I would like the final result to appear like: 

1.2.3.4, then Brand SystemId ResponseStatus --> to demonstrate the groupings. 

 

In splunk I know I can perform counts, and sum, using a grouping, then sum(counts) by, and create averages. What I can't determine is how to line them all together in a single resultset.  Further, if I try to do stats on multiple columns and set it to a new column, it won't accept it (or doing it wrong)

 

I would appreciate any pointers. 

Labels (6)
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 10:11 AM 
| makeresults | eval events="V 	System1	Good	34.93	UniqueID1
A	System2	Good	11.94	UniqueID2
V 	System3	Good	6.06	UniqueID3
V 	System2	Bad	13.44	UniqueID4
A	System2	Good	11.94	UniqueID5
V 	System3	Good	6.06	UniqueID6
M	System3	Good	1	UniqueId7"
| rex field=events max_match=0 "(?<events>[^\r\n]+)"
| mvexpand events
| rex field=events max_match=0 "(?<Brand>\S+)\s+(?<SystemId>\S+)\s+(?<ResponseStatus>\S+)\s+(?<Amount>\S+)\s+(?<TRI>\S+)"
| stats count sum(Amount) as Amount by Brand SystemId ResponseStatus
| eventstats sum(Amount) as TotalAmount sum(count) as Total
| eval PercentAmount=100*Amount/TotalAmount
| eval PercentCount=100*count/Total
| fields count, Amount, PercentAmount, PercentCount, Brand, SystemId, ResponseStatus

View solution in original post

Reply
Solved! Jump to solution

benj851
Explorer
‎10-19-2020 09:49 AM
TypeSystemIdResponseStatusApprovedAmountTRI
System1Good34.93UniqueID1
ASystem2Good11.94UniqueID2
System3Good6.06UniqueID3
System2Bad13.44UniqueID4
ASystem2Good11.94UniqueID5
System3Good6.06UniqueID6
MSystem3Good1UniqueId7
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 10:11 AM 
| makeresults | eval events="V 	System1	Good	34.93	UniqueID1
A	System2	Good	11.94	UniqueID2
V 	System3	Good	6.06	UniqueID3
V 	System2	Bad	13.44	UniqueID4
A	System2	Good	11.94	UniqueID5
V 	System3	Good	6.06	UniqueID6
M	System3	Good	1	UniqueId7"
| rex field=events max_match=0 "(?<events>[^\r\n]+)"
| mvexpand events
| rex field=events max_match=0 "(?<Brand>\S+)\s+(?<SystemId>\S+)\s+(?<ResponseStatus>\S+)\s+(?<Amount>\S+)\s+(?<TRI>\S+)"
| stats count sum(Amount) as Amount by Brand SystemId ResponseStatus
| eventstats sum(Amount) as TotalAmount sum(count) as Total
| eval PercentAmount=100*Amount/TotalAmount
| eval PercentCount=100*count/Total
| fields count, Amount, PercentAmount, PercentCount, Brand, SystemId, ResponseStatus
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 09:20 AM 
-- base query
| stats count sum(Amount) as Amount by Brand SystemId ResponseStatus
| eventstats sum(Amount) as TotalAmount sum(count) as Total
| eval PercentAmount=100*Amount/TotalAmount
| eval PercentCount=100*count/Total
| fields count, Amount, PercentAmount, PercentCount, Brand, SystemId, ResponseStatus
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 09:14 AM

Can you provide some sample data that could be returned by your basic query and how that might translate into your final result?

Is 1 a count of uniqueids grouping by Brand SystemId ResponseStatus as well?

Does each event have a unique identifier? (That may sound obvious but needs confirming.)

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...