Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to add results from stats value?

n4niyaz
Explorer
‎03-29-2018 06:05 AM

Hi

I have a field called department, on that field i have multiple values like 

department=Production for Medicine 
department=Research and Development
department=Purchasing
department=Marketing
department=Human Resource Management
department=Accounting and Finance 
department=Production for Medicine-PFM
department=Research and Development-RD
 So after running stats count by department am getting below results like

department                                  count

Production for Medicine                   5
Research and Development             10
Purchasing                                          12
Marketing                                             6
Human Resource Management        3
Accounting and Finance                      4
Production for Medicine-PFM             6
Research and Development-RD         13

What I need is to add count value of following: 

Production for Medicine + Production for Medicine-PFM =11
Research and Development + Research and Development-RD  =23

Kindly let me know if there is any solution to get above result.

0 Karma
Reply

TISKAR
Builder
‎03-29-2018 08:15 AM

Hello,

Try this please:

| eval PFM =if(departement="Production for Medicine " OR departement="Production for Medicine-PFM",count,0)
| eventstats sum(PFM) as sum
|appendpipe[departement="Production for Medicine + Production for Medicine-PFM", count=sum]
| fields -sum
| dedup departement
0 Karma
Reply

kmaron
Motivator
‎03-29-2018 07:59 AM

You could drop everything after and including the dash from the department name using a regex

| rex field=department mode=sed "s/-.*$//"
0 Karma
Reply

n4niyaz
Explorer
‎03-29-2018 09:38 AM

Thanks for the reply but i need is sum of total count of Production for Medicine + Production for Medicine-PFM =11 in a separate field either PFM=11 means count of Production for Medicine(6) + Production for Medicine-PFM(5)=PFM ie PFM =6+5 ie PFM=11 and here
Research and Development (10)+ Research and Development-RD(13) =23 RD=23 ie RD=10+13 ie RD=23

0 Karma
Reply

kmaron
Motivator
‎03-29-2018 12:43 PM

try this:

| rex field=department "(?<base_department>.*)-\S"
| stats count by department, base_department
| appendpipe [stats sum(count) as count by base_department]
| sort base_department
| fields - base_department
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...