Splunk Search

How do I get the sum of similar values in chart?

Borys
New Member

Hello, thank you in advance for your time.
I need to perform the sum of similar fields that results in a chart.
My current query is the following:

 

 

 

...| chart count by path, auditJsonMessage.Code | rename path as "EndPoint"
| addtotals | rename Total as "Total Calls"

 

 

 

As a result it gives the following. 

Borys_0-1683043967544.png

But what I want is for all the "EndPoints" that are even to be added and show a single row with the http code total.

 



Labels (4)
0 Karma

abi2023
Path Finder

| chart sum(count) as "Total Calls" by path, auditJsonMessage.Code
| rename path as "EndPoint"

 

0 Karma

rut
Path Finder

Hi @Borys,

Instead of the chart command, you could first combine relevant data. Maybe this will work for you?

...
| stats count by EndPoint,Code
| stats sum(count) as sum, values(EndPoint) as EndPoints by count, Code
| rename sum as count
| nomv EndPoints
| chart sum(count) by EndPoints,Code
| fillnull value=0

After the initial stats command the above block groups again but by count and code, keeping endpoint values and the related sum. The nomv command is needed to flatten the result of the EndPoints, so the chart command can't split that result again. The final command fills the remaining empty values.

I've tested the above with the makeresults command:

| makeresults format=csv data="EndPoint,auditJsonMessage.Code
/test1,200
/test1,200
/test2,400
/test2,200
/test3,201
/test3,303
/test4,201"
| rename auditJsonMessage.Code as Code
| stats count by EndPoint,Code
| stats sum(count) as sum, values(EndPoint) as EndPoints by count, Code
| rename sum as count
| nomv EndPoints
| chart sum(count) by EndPoints,Code
| fillnull value=0

Which gave me the following output:

rut_0-1683049414932.png

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...