Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to create new columns by adding columns from a timechart output?

richtate
Path Finder
‎09-14-2023 02:27 PM

Good day,

I have this SPL:

index=test_7d sourcetype="Ibm:BigFix:CVE" earliest=-1d
| search FixletSourceSeverityTxt="Critical" OR FixletSourceSeverityTxt="Urgent"
| eval ReleaseDtm=strptime(FixletSourceReleaseDtm, "%Y-%m-%d")
| where ReleaseDtm>1672531199 ```Epoch time for 12/31/22 23:59:59, this gets only 2023 fixlets```
| eval _time = ReleaseDtm
| makemv FixletCVETxt
| eval cvecount=mvcount(FixletCVETxt)
| eval cvetotal=cvecount * RemediatedComputerCount
| timechart span=1mon sum(cvetotal) as cvetotal sum(RemediatedComputerCount) as RemediatedComputerCount by ComputerDatabaseId
 
 
That has the output of:
 
_time RemediatedComputerCount: 0 RemediatedComputerCount: 1 cvetotal: 0 cvetotal: 1
2023-01 113575 29512 7177373 1619396
2023-02 230629 42239 4779801 1063153
2023-03 253770 55769 7246548 1792831
2023-04 139419 36156 8175076 2192272
2023-05 144117 40335 2781698 740369
2023-06 314684 81621 5574141 1420760
2023-07 163672 47112 13643474 3957452
2023-08 281891 65004 6481422 1587176
2023-09 4596 6508 62384 98312

 

I would like to add the 'RemediatedComputerCount: #' columns to a total column by month next to the existing columns.  Then add another column with totals for 'cvetotal: #'.  I don't want totals of each column for a grand total at the bottom, just the total of the like columns in a new one by _time.

Suggestions?  Thanks!

Labels (4)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-14-2023 05:27 PM

Use the addtotals command which will sum up the fields you specify - it supports wildcards

 

| addtotals RemediatedComputerCount* fieldname=RemediatedComputerCount
| addtotals cvetotal* fieldname=cvetotal

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-14-2023 05:27 PM

Use the addtotals command which will sum up the fields you specify - it supports wildcards

 

| addtotals RemediatedComputerCount* fieldname=RemediatedComputerCount
| addtotals cvetotal* fieldname=cvetotal

 

 

Reply
Solved! Jump to solution

richtate
Path Finder
‎09-15-2023 07:56 AM

Thanks that worked.  I was running down the addcoltotals letting the column get in my way.  Simple solution, thanks!

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...