- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to append column total to column name?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have data something like this
Name. Accepted Rejected Posted Total
Change 3 5 7 15
NOC 5 6 5 16
8 11 12 21
Which I am getting by this command
Index=#####
| chart dc(TID) as count by Name Status
| addtotals
| addcolTotals
What I wanted is
Name. Accepted(8) Rejected(11) Posted(12) Total(21)
Change 3 5 7 15
NOC 5 6 5 16
8 11 12 21
I did try | eval status=status."(".count.")"
Thanks for your time!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a run-anywhere example that does it:
index=_*
| rename component AS Status, sourcetype AS Name
| chart useother=f usenull=f limit=3 count BY Name Status
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| addtotals row=t col=t
| eval Name=coalesce(Name, "Grand Totals")
| rename Name AS _Name
| eventstats max(*) AS total_*
| foreach total_* [ eval <<FIELD>> = "<<MATCHSTR>>(" . <<FIELD>> . ")", {<<FIELD>>} = <<MATCHSTR>> | fields - <<FIELD>> <<MATCHSTR>> ]
| rename _Name AS Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a run-anywhere example that does it:
index=_*
| rename component AS Status, sourcetype AS Name
| chart useother=f usenull=f limit=3 count BY Name Status
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| addtotals row=t col=t
| eval Name=coalesce(Name, "Grand Totals")
| rename Name AS _Name
| eventstats max(*) AS total_*
| foreach total_* [ eval <<FIELD>> = "<<MATCHSTR>>(" . <<FIELD>> . ")", {<<FIELD>>} = <<MATCHSTR>> | fields - <<FIELD>> <<MATCHSTR>> ]
| rename _Name AS Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is wonderful @woodcock, Thanks for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sandeepmakkena
Can you please try this?
Index=#####
| chart dc(TID) as count by Name Status
| addtotals
| table Name Accepted Rejected Posted Total | addcolTotals labelfield=Name label="my_total" | transpose header_field=Name | eval column=column."(".my_total.")" | transpose header_field=column | rename column as Name
Sample Search:
| makeresults | eval _raw="Name Accepted Rejected Posted Total
Change 3 5 7 15
NOC 5 6 5 16" | multikv | table Name Accepted Rejected Posted Total | addcolTotals labelfield=Name label="my_total" | transpose header_field=Name | eval column=column."(".my_total.")" | transpose header_field=column | rename column as Name
Note: You can remove | table Name Accepted Rejected Posted Total if the sequence of fields is the same.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kamlesh_vaghela Thanks for responding but, it does not work.
I am getting something like this.
Name row 1 row 2 row 3
AE 2 0 2
AT 5 0 6
AU 2 0 3
BE 6 0 6
BR 24 0 31
I already tried something similar, I think I am missing something, Thanks!
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
