Splunk Search

Get sum of column on table


I've been trying to get the sum for production column on the following table by month, day, year, hours

My Search:

source="rest://RGM Lifetime Stats"
| spath intervals{} output=intervals
| rename intervals{}.end_at as Date, intervals{}.wh_del as Production
| eval temp=mvzip(Date,Production)
| stats count by _time temp
| eval Date=replace(replace(mvindex(split(temp,","),0),"-07:00",""),"T"," "),Production=mvindex(split(temp,","),1)
| table Date Production 

What I want to be able to do is a breakdown by 1) Month, 2) day, 3) year, 4) hours

For Example:

Date Production
Nov 2017 10.2
Dec 2017 235
Jan 2018 244
Feb 2018 278

and same thing for day, year and hours.



What I tried so far

source="rest://RGM Lifetime Stats"
| spath intervals{} output=intervals
| rename intervals{}.end_at as Date, intervals{}.wh_del as Production
| eval temp=mvzip(Date,Production)
| stats count by _time temp
| eval Date=replace(replace(mvindex(split(temp,","),0),"-07:00",""),"T"," "),Production=mvindex(split(temp,","),1)
| table Date Production 
| eventstats sum(Production) as total
| dedup total
| fields total

Any help is appreciated it.

Tags (2)
0 Karma


alt text

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


@bora9, whichever breakdown time span you need like hourly, daily or monthly, you can add the same as a dropdown and show the sum of Production by using timechart command with span.

Following is a run anywhere dashboard with some of your older sample data. In the following dashboard <query> you would need to use your current base search instead of first two pipes i.e. makeresults and eval _raw

  <label>Stats by different Time Duration</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="tokSpan" searchWhenChanged="true">
      <label>Breakdown Span</label>
      <choice value="1h">Hourly</choice>
      <choice value="1d">Daily</choice>
      <choice value="1mon">Monthly</choice>
          <query>| makeresults
 | eval _raw="{
 | rex "\"end_at\":\"(?<end_at>[^\"]+)\"\,\s+\"devices_reporting\":(?<devices_reporting>[^\,]+)\,\s+\"wh_del\":(?<wh_del>\d+)\s+\}" max_match=0
 | fields - _time _raw
 | eval data=mvzip(end_at,wh_del)
 | fields data
 | mvexpand data
 | eval data=split(data,",")
 | eval _time=strptime(mvindex(data,0),"%Y-%m-%dT%H:%M:%S"), Production=mvindex(data,1)
 | fields - data
 | timechart sum(Production) as Total span="$tokSpan$"</query>
        <option name="charting.chart">column</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
| makeresults | eval message= "Happy Splunking!!!"
0 Karma


I keep getting the following error message with your solution

Error in 'search' command: Unable to parse the search: Comparator '<' is missing a term on the left hand side.

can you please advise.

0 Karma


@bora9, for the Less than and Greater than symbols in Simple XML use &lt; and &gt; instead

| rex "\"end_at\":\"(?&lt;end_at&gt;[^\"]+)\"\,\s+\"devices_reporting\":(?&lt;devices_reporting&gt;[^\,]+)\,\s+\"wh_del\":(?&lt;wh_del&gt;\d+)\s+\}" max_match=0

On Splunk Answers even inside the code block it got changed.

Alternatively you can run the query inside the <query> block in search and then save to the dashboard.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


I'm still getting the same error if I try replacing the less than and greater than with &lt and &gt or even if I run my original query inside the block in search.

Any other ideas? I checked that every <> combination was started and closed correctly but still the same issue.

0 Karma


@bora9, I have updated a screenshot with code snippet for rex command. Make sure you have escaped also double quotes inside regular expression should be prefixed with backslash

Try the following in Splunk Search and see if it working. If it does, edit the dashboard Panel and Add the following Query from UI Edit option instead of Simple XML source code.

| makeresults
 | eval _raw="{
 | rex "\"end_at\":\"(?<end_at>[^\"]+)\"\,\s+\"devices_reporting\":(?<devices_reporting>[^\,]+)\,\s+\"wh_del\":(?<wh_del>\d+)\s+\}" max_match=0
 | fields - _time _raw
 | eval data=mvzip(end_at,wh_del)
 | fields data
 | mvexpand data
 | eval data=split(data,",")
 | eval _time=strptime(mvindex(data,0),"%Y-%m-%dT%H:%M:%S"), Production=mvindex(data,1)
 | fields - data
 | timechart sum(Production) as Total span="1h"
| makeresults | eval message= "Happy Splunking!!!"
0 Karma


Hi bora9,
have you seen this blog article https://www.splunk.com/blog/2014/04/30/adding-a-subtotal-to-your-report.html ?


0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...