Splunk Search

How to add multiple fields count values

cooperjaram
Engager

Hello,

I have 6 fields that I would like to count and then add all the count values together.

For example I have Survey_Question1, I stats count by that field which produces.

(NULL) 5630
1 2
3 4
4 24
5 558

The 1, 2, 3, 4, 5 are the rating given on the survey.

I have Survey_Question1-Survey_Questions6 I would like to get all their count values and then add them together so then I can divide by 6 and get an average, that I can then visualize onto a dashboard.

Hope this makes sense!

0 Karma
1 Solution

Anantha123
Communicator

Please try below method.

basesearch field="Survey_Question1"
| stats count as Count1
| appendcols
[ search basesearch field="Survey_Question2"
| stats count as Count2 ]
| appendcols
[ search basesearch field="Survey_Question3"
| stats count as Count3 ]
| appendcols
[ search basesearch field="Survey_Question4"
| stats count as Count4 ]
| appendcols
[ search basesearch field="Survey_Question5"
| stats count as Count5 ]
| appendcols
[ search basesearch field="Survey_Question6"
| stats count as Count6 ]
| table Count1,Count2,Count3,Count4,Count5,Count6
| eval TotalCount=round(((Count1+Count2+Count3+Count4+Count5+Count6 )/2),2)
| table TotalCount

View solution in original post

0 Karma

Anantha123
Communicator

Please try below method.

basesearch field="Survey_Question1"
| stats count as Count1
| appendcols
[ search basesearch field="Survey_Question2"
| stats count as Count2 ]
| appendcols
[ search basesearch field="Survey_Question3"
| stats count as Count3 ]
| appendcols
[ search basesearch field="Survey_Question4"
| stats count as Count4 ]
| appendcols
[ search basesearch field="Survey_Question5"
| stats count as Count5 ]
| appendcols
[ search basesearch field="Survey_Question6"
| stats count as Count6 ]
| table Count1,Count2,Count3,Count4,Count5,Count6
| eval TotalCount=round(((Count1+Count2+Count3+Count4+Count5+Count6 )/2),2)
| table TotalCount

0 Karma

cooperjaram
Engager

This worked, thank you!

0 Karma

Anantha123
Communicator

Try below

| stats count as Total , count(eval(field="Survey_Question1") ) as Count1 , count(eval(field="Survey_Question2") ) as Count2 ,count(eval(field="Survey_Question3") ) as Count3 , count(eval(field="Survey_Question4") ) as Count4 , count(eval(field="Survey_Question5") ) as Count5 ,count(eval(field="Survey_Question6") ) as Count6
| eval TotalCount=round(((Count1+Count2+Count3+Count4+Count5+Count6 )/6),2)

0 Karma

cooperjaram
Engager

When I attempt this I get the below error.

Error in 'stats' command: The dynamically evaluated field specifier 'eval(field="Survey_Question1") ' is invalid. The field specifier must be non-empty, start with '{', and end with '}'.

0 Karma

jacobpevans
Motivator

Try this:

| stats count as Total ,
        sum(eval(field="Survey_Question1") ) as Count1,
        sum(eval(field="Survey_Question2") ) as Count2,
        sum(eval(field="Survey_Question3") ) as Count3, 
        sum(eval(field="Survey_Question4") ) as Count4, 
        sum(eval(field="Survey_Question5") ) as Count5,
        sum(eval(field="Survey_Question6") ) as Count6
| eval TotalCount=round(((Count1+Count2+Count3+Count4+Count5+Count6 )/6),2)
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

cooperjaram
Engager

I get the same error when I attempt this.

Error in 'stats' command: The dynamically evaluated field specifier 'eval(field="Survey_Question1") ' is invalid. The field specifier must be non-empty, start with '{', and end with '}'.

0 Karma

jacobpevans
Motivator

Hm. I assume you're replaying field with your actual field name, correct? Apologies for the dumb question, just want to make sure we aren't missing anything easy.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...