Solved: How to create a table that has values summed up by...

Hppjet · ‎05-03-2018

I would like to manipulate it to look like this:

woodcock · ‎05-03-2018

I can't believe I actually transcribed your dataset (please post text, not graphics next time):

|makeresults | eval raw="A10 1 1090:
A10 2 1429:
A10 3 1527.66667:
A10 4 1611.46154:
A10 5 1023:
A102 1 1928.06667:
A102 2 1564.26923:
A102 3 2668.7:
A102 4 1730.33333:
A102 5 1801.75:
A103 1 1687.26316:
A103 2 1903.45833:
A103 3 1784.84615:
A103 4 1358.93333:
A103 5 1818.5:
A104 1 2476.2:
A104 2 2184.26316:
A104 3 2272.86667:
A104 4 1742.55:
A104 5 2571:
A107 1 2294.07692"
| makemv delim=":" raw
| mvexpand raw
| rex field=raw "(?<operator>\S+)\s+(?<Month>\S+)\s+(?<Count>\S+)"
| table operator Month Count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart sum(Count) BY operator Month
| addtotals row=f col=t
| fillnull operator value="Grand Total"

View solution in original post

elliotproebstel · ‎05-03-2018

If you're looking to go from the first chart above (three columns: operator, Month, and Count) to the second chart, then you should be able to append this to your current search:

| xyseries operator Month Count 
| addcoltotals label="Grand Total" labelfield="operator"

woodcock · ‎05-03-2018

I can't believe I actually transcribed your dataset (please post text, not graphics next time):

|makeresults | eval raw="A10 1 1090:
A10 2 1429:
A10 3 1527.66667:
A10 4 1611.46154:
A10 5 1023:
A102 1 1928.06667:
A102 2 1564.26923:
A102 3 2668.7:
A102 4 1730.33333:
A102 5 1801.75:
A103 1 1687.26316:
A103 2 1903.45833:
A103 3 1784.84615:
A103 4 1358.93333:
A103 5 1818.5:
A104 1 2476.2:
A104 2 2184.26316:
A104 3 2272.86667:
A104 4 1742.55:
A104 5 2571:
A107 1 2294.07692"
| makemv delim=":" raw
| mvexpand raw
| rex field=raw "(?<operator>\S+)\s+(?<Month>\S+)\s+(?<Count>\S+)"
| table operator Month Count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart sum(Count) BY operator Month
| addtotals row=f col=t
| fillnull operator value="Grand Total"

Hppjet · ‎05-03-2018

I need to take the values in the second column and turn those into columns which will sum the values based on what is in the first column.

Hppjet · ‎05-03-2018

It worked!

woodcock · ‎05-03-2018

Yes, I get it; that is what my solution does. Did you not try it? I went back and modified my answer to prove that it works with sample data.

kamlesh_vaghela · ‎05-03-2018

Hi @Hppjet,

Have you tried addcoltotals ??

Can you please try my sample search?

index="_internal" sourcetype=* date_minute=* 
| chart count over sourcetype by date_minute 
| addcoltotals 
| fillnull value="Grand Total" sourcetype

I have added fillnull for displaying "Grand Total" value at the last.

Thanks

Hppjet · ‎05-03-2018

I need to take the values in the second column and turn those into columns which will sum the values based on what is in the first column.

How to create a table that has values summed up by the column?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM