Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count and sum fourth column if second and third column are certain value and group by first column?

Username1
Path Finder
‎08-06-2020 08:23 AM

So my data structure has four columns: "Month", "Status", "Accepted", "Value". As the title suggest I'm trying to determine two things: 1) the total values per month, 2) the total values per month where "Status=Done and Accepted = Done". I have the query working for the first one but I'm having difficulty with the second. Does anyone have any ideas how to do this? Thanks!

 

index=index
|table Month, Status, Accepted, Value
| eval _time=strptime(scan_date,"%Y-%m-%d")
| stats sum(Value) as total_value_per_month by Month

 

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:50 PM

Check this and upvote if it solves your problem.

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-06-2020 01:11 PM 
index=YOURINDEX sourcetype=YOURSOURCETYPE
| stats sum(Value) as TotalValue by Month 
| append 
[ searchindex=YOURINDEX sourcetype=YOURSOURCETYPE Status="Done" Accepted="Done" 
| stats sum(Value) as TotalVal_Done by Month] 
| stats values(TotalValue) as TotalValue values(TotalVal_Done) as TotalVal_Done by Month
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 08:49 AM

index=index Status=Done Accepted=Done

| stats sum(Value) by Month

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

Username1
Path Finder
‎08-06-2020 08:52 AM

Hi @thambisetty  Thanks for responding! If i do that how will I count where Status = 'Not Done" by Month?

 

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 08:57 AM

I believe you are looking for different query?

If yes,

index=index Status=“not done” 

| stats sum(Value) by Month.

 

up vote if it solves your problem.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

Username1
Path Finder
‎08-06-2020 08:58 AM

@thambisetty Is there no way I can have one query? The end goal is to have a visual

 

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 09:02 AM

Write down all your cases to combine. We need to use Case statement.

for example: 

if Status=Done Accepted=Done -> Done

if status =“Not Done” -> “Not Done”

and expected output in table format.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

Username1
Path Finder
‎08-06-2020 09:07 AM

@thambisetty   So my data structure has four columns: "Month", "Status", "Accepted", "Value". The two things I'm trying to graph are: 1) the total values per month no matter what Status/Accepted, 2) the total values per month where "Status=Done and Accepted = Done".  

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 09:13 AM

index=index

| eval done=if(Status=“Done” AND Accepted=“Done”,”1”,”0”)

| stats sum(Value) as all , sum(done) as done by Month

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

Username1
Path Finder
‎08-06-2020 09:48 AM

@thambisetty  I tried running that and it returned "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '”1”,”0”)'."

If I do that how would the `done`  eval be able to sum all of the Values, as Values range from .25 - 10

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 09:56 AM

index=index

| eval done=if(Status=“Done” AND Accepted=“Done”,”1”,”0”)

| stats sum(Value) as all , sum(done) as done by Month


replace double quotes with double quotes from your key board.

 

your query is not clear.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-06-2020 12:50 PM

Check this and upvote if it solves your problem.

————————————
If this helps, give a like below.
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
Top