Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine duplicate multiple rows into one ro...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wanda619
Path Finder
08-03-2022
07:19 AM
Hi Community,
I have a data as follows -
|
Customer |
Error Code |
Result |
|
Abc |
1111 |
2 |
|
Abc |
1111 |
3 |
|
Abc |
1222 |
4 |
|
Abc |
Total |
4 |
|
Abc |
Total |
5 |
I want to combine the Total into single row Total showing the result column as - Total : 9.
My code now -
| stats count as Result by Customer, ErrorCode
| eval PercentOfTotal=100
| append
[search index=sourcetype= abc: source= */ABC/* ErrorCode!=0
| stats count as Result by Customer
| eval ErrorCode="Total", PercentOfTotal=100]
| lookup xyz ErrorCode OUTPUT Description
| lookup pqr Customer OUTPUT Customer_Name
| eval Customer_Name=coalesce(Customer_Name,Customer)
| eval Error=if(ErrorCode!="Total", ErrorCode+" ("+coalesce(Description,"Description Missing - Update xyz")+")", ErrorCode)
| fields CustomerName, Error, Result
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-03-2022
07:41 AM
I'm sure there will be a better option than this but without knowing your data, it would be difficult to suggest that. Try to add following to your current search(at the end):
Your current search
| fields CustomerName, Error, Result
| stats sum(Result) as Result by CustomerName, Error- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-03-2022
07:41 AM
I'm sure there will be a better option than this but without knowing your data, it would be difficult to suggest that. Try to add following to your current search(at the end):
Your current search
| fields CustomerName, Error, Result
| stats sum(Result) as Result by CustomerName, Error- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martinpu
Communicator
08-03-2022
07:36 AM
| stats count as Result by Customer, ErrorCode
| eval PercentOfTotal=100
| addcoltotals Result
|fillnull 'Error Code' value="Total"
You can sum up your counts with the addcoltotals command as shown above.
Get Updates on the Splunk Community!
Splunk App for Anomaly Detection End of Life Announcment
Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
