Splunk Search

How to Calculate the sum of values from a chart and create a field specifying that total of those values

theouhuios
Motivator

Hello

I am trying to create a total of values in different fields and add it to the output as a different field. I am able to get the value of different fields but got stuck on how to add them.

sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId   |stats count by record.priority| 

This is the command which I used to get the data. The data now is

record.priority     count
1                        6
2                    7568
3                    6346
4                    68

Now I wanted to add another field with a total of all the count values in the same chart.

Anyone has an idea on how to do that? Is there any other method where I can first get the whole total of the count in a bar chart for a 31 day period and then probably draw the graph with different priority fields which gives the information about each priority with a count of incidents created per day?

Regards

-theou

Tags (1)
0 Karma
1 Solution

theouhuios
Motivator

Used the addtotals command to get a total value. Then used fields to remove the redundant fields which weren't needed.

Thanks for all your help.

View solution in original post

theouhuios
Motivator

Used the addtotals command to get a total value. Then used fields to remove the redundant fields which weren't needed.

Thanks for all your help.

kristian_kolb
Ultra Champion

You should probably look at the addcoltotals command;

your_search_here | addcoltotals labelfield=record.priority label="Total count"

See the docs here:
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Addcoltotals

For the second part of your query, I don't really understand how you want the output, but try;

sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId  | timechart span=1d count by record.priority

You can paste the search (or write a new one from scratch) into the Advanced Charting view (under the "Dashboards & Views" menu), and play around with the visualization options.

Hope this helps,

Kristian

theouhuios
Motivator

Hmm.. The timechart is the way which i am doing as of now. But I am trying to see if I can actually use multiple visualizations on a single dashboard. Like a bar chart mentioning the total count of incidents and then a line chart upon the bar chart which graphs according to number of incidents and the priority of the incident.

0 Karma

kristian_kolb
Ultra Champion

true, addcoltotals does not create a new field per se, but I gathered that the real request was more for presentation purposes.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

that or eventstats

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...