Splunk Search

How to create a new column in my table showing the sum of FieldA by FieldB?

Path Finder

HI

My data

Quarter   Type   Amount
2014q1     a      100
2014q1     b      200
2015q2     a      100
2015q2     b      100

I would like to create an additional column with sum for the same quarter.

Expected result

Quarter   Type   Amount  New_column
2014q1     a      100       300
2014q1     b      200       300
2015q2     a      100       200
2015q2     b      100       200

My current search:

index=test |stats(amount) as amount by quarter type

I do not want to use join and append.

Could you help me?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this

your current search | eventstats sum(amount) as New_column by quarter

View solution in original post

SplunkTrust
SplunkTrust

Try this

your current search | eventstats sum(amount) as New_column by quarter

View solution in original post

Path Finder

That works!! thank you

0 Karma

Community Manager
Community Manager

Hi @akawacz,

Glad @somesoni2 helped you find your answer 🙂 Please be sure to accept his answer by clicking "Accept" directly below the answer, otherwise this post will show as unresolved. Thanks!

Patrick

0 Karma

Esteemed Legend

This is not your search; you are missing a function between stats and (amount).

0 Karma

Path Finder

Yes, good point. Just forgot to put it. i was recreating version of my bigger search that would be better/easier to explain.

0 Karma

Esteemed Legend

OK, so what is it supposed to be?

0 Karma

Path Finder

should be sum

0 Karma