Hello
I am trying to create a total of values in different fields and add it to the output as a different field. I am able to get the value of different fields but got stuck on how to add them.
sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId |stats count by record.priority|
This is the command which I used to get the data. The data now is
record.priority count
1 6
2 7568
3 6346
4 68
Now I wanted to add another field with a total of all the count values in the same chart.
Anyone has an idea on how to do that? Is there any other method where I can first get the whole total of the count in a bar chart for a 31 day period and then probably draw the graph with different priority fields which gives the information about each priority with a count of incidents created per day?
Regards
-theou
Used the addtotals
Thanks for all your help.
Used the addtotals
Thanks for all your help.
You should probably look at the addcoltotals
command;
your_search_here | addcoltotals labelfield=record.priority label="Total count"
See the docs here:
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Addcoltotals
For the second part of your query, I don't really understand how you want the output, but try;
sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId | timechart span=1d count by record.priority
You can paste the search (or write a new one from scratch) into the Advanced Charting view (under the "Dashboards & Views" menu), and play around with the visualization options.
Hope this helps,
Kristian
Hmm.. The timechart is the way which i am doing as of now. But I am trying to see if I can actually use multiple visualizations on a single dashboard. Like a bar chart mentioning the total count of incidents and then a line chart upon the bar chart which graphs according to number of incidents and the priority of the incident.
true, addcoltotals
does not create a new field per se, but I gathered that the real request was more for presentation purposes.
that or eventstats