- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I create this report table with two column...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is it possible to get a report like this in Splunk?
I have fields APP, status and category. Here I am taking the count of status for each category by APP. I want a category for each row, and under each APP, I want the status and total of each column with a Grand Total column on the far right side of the table. Please refer to the attached image sample.png as the table was too wide for proper formatting on this site.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this (you will need to adjust some things to match your search/data and may need to re-order the fields):
YourBaseSearchHere APP="N-S" | eval app_status = APP . ":" . status | chart count over Cat by app_status | addtotals | rename Total AS "N-S Total" | appendcols [ YourBaseSearchHere APP="S-V" | eval app_status = APP . ":" . status | chart count over Cat by app_status | addtotals | rename Total AS "S-V Total" ] | eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $<<FIELD>>$ ] | addcoltotals labelfield=Cat label=Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this (you will need to adjust some things to match your search/data and may need to re-order the fields):
YourBaseSearchHere APP="N-S" | eval app_status = APP . ":" . status | chart count over Cat by app_status | addtotals | rename Total AS "N-S Total" | appendcols [ YourBaseSearchHere APP="S-V" | eval app_status = APP . ":" . status | chart count over Cat by app_status | addtotals | rename Total AS "S-V Total" ] | eval Grand_Total=0 | foreach *Total [ eval Grand_Total = Grand_Total + $<<FIELD>>$ ] | addcoltotals labelfield=Cat label=Total
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, its working.
But one small thing. Is it possible to put N-S Total after app_status of N-S and S-V Total after app_Status of S-V Total and Grandtotal in last column
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not understand why Splunk is reordering the fields but you can manually reorder them with the fields command by specifying every field in the order that you desire.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
