Splunk Search

How to add multiple fields count values

cooperjaram
Engager

Hello,

I have 6 fields that I would like to count and then add all the count values together.

For example I have Survey_Question1, I stats count by that field which produces.

(NULL) 5630
1 2
3 4
4 24
5 558

The 1, 2, 3, 4, 5 are the rating given on the survey.

I have Survey_Question1-Survey_Questions6 I would like to get all their count values and then add them together so then I can divide by 6 and get an average, that I can then visualize onto a dashboard.

Hope this makes sense!

0 Karma
1 Solution

Anantha123
Communicator

Please try below method.

basesearch field="Survey_Question1"
| stats count as Count1
| appendcols
[ search basesearch field="Survey_Question2"
| stats count as Count2 ]
| appendcols
[ search basesearch field="Survey_Question3"
| stats count as Count3 ]
| appendcols
[ search basesearch field="Survey_Question4"
| stats count as Count4 ]
| appendcols
[ search basesearch field="Survey_Question5"
| stats count as Count5 ]
| appendcols
[ search basesearch field="Survey_Question6"
| stats count as Count6 ]
| table Count1,Count2,Count3,Count4,Count5,Count6
| eval TotalCount=round(((Count1+Count2+Count3+Count4+Count5+Count6 )/2),2)
| table TotalCount

View solution in original post

0 Karma

Anantha123
Communicator

Please try below method.

basesearch field="Survey_Question1"
| stats count as Count1
| appendcols
[ search basesearch field="Survey_Question2"
| stats count as Count2 ]
| appendcols
[ search basesearch field="Survey_Question3"
| stats count as Count3 ]
| appendcols
[ search basesearch field="Survey_Question4"
| stats count as Count4 ]
| appendcols
[ search basesearch field="Survey_Question5"
| stats count as Count5 ]
| appendcols
[ search basesearch field="Survey_Question6"
| stats count as Count6 ]
| table Count1,Count2,Count3,Count4,Count5,Count6
| eval TotalCount=round(((Count1+Count2+Count3+Count4+Count5+Count6 )/2),2)
| table TotalCount

0 Karma

cooperjaram
Engager

This worked, thank you!

0 Karma

Anantha123
Communicator

Try below

| stats count as Total , count(eval(field="Survey_Question1") ) as Count1 , count(eval(field="Survey_Question2") ) as Count2 ,count(eval(field="Survey_Question3") ) as Count3 , count(eval(field="Survey_Question4") ) as Count4 , count(eval(field="Survey_Question5") ) as Count5 ,count(eval(field="Survey_Question6") ) as Count6
| eval TotalCount=round(((Count1+Count2+Count3+Count4+Count5+Count6 )/6),2)

0 Karma

cooperjaram
Engager

When I attempt this I get the below error.

Error in 'stats' command: The dynamically evaluated field specifier 'eval(field="Survey_Question1") ' is invalid. The field specifier must be non-empty, start with '{', and end with '}'.

0 Karma

jacobpevans
Motivator

Try this:

| stats count as Total ,
        sum(eval(field="Survey_Question1") ) as Count1,
        sum(eval(field="Survey_Question2") ) as Count2,
        sum(eval(field="Survey_Question3") ) as Count3, 
        sum(eval(field="Survey_Question4") ) as Count4, 
        sum(eval(field="Survey_Question5") ) as Count5,
        sum(eval(field="Survey_Question6") ) as Count6
| eval TotalCount=round(((Count1+Count2+Count3+Count4+Count5+Count6 )/6),2)
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

cooperjaram
Engager

I get the same error when I attempt this.

Error in 'stats' command: The dynamically evaluated field specifier 'eval(field="Survey_Question1") ' is invalid. The field specifier must be non-empty, start with '{', and end with '}'.

0 Karma

jacobpevans
Motivator

Hm. I assume you're replaying field with your actual field name, correct? Apologies for the dumb question, just want to make sure we aren't missing anything easy.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...