Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to get the sum of some particular row in a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
team12 sum1
atgbc.im 10
bctgd.im 20
cdtgb.im 30
abrfc.in 40
bcded.in 50
total (.im) 60
total (.in) 90
total(in+im)150
Fields names are "name" and "sum"."Team12" is the name of the list having all (.in and .im files)
We have to figure out how to calculate total(.im) and total(.in)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would use appendpipe command like this:
your current search giving field name and sum
| appendpipe [| where like(name,"%.im") | eval name="total (.im)" | stats sum(sum) as sum by name]
| appendpipe [| where like(name,"%.in") | eval name="total (.in)" | stats sum(sum) as sum by name]
| appendpipe [| where like(name,"total%") | eval name="total all" | stats sum(sum) as sum by name]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would use appendpipe command like this:
your current search giving field name and sum
| appendpipe [| where like(name,"%.im") | eval name="total (.im)" | stats sum(sum) as sum by name]
| appendpipe [| where like(name,"%.in") | eval name="total (.in)" | stats sum(sum) as sum by name]
| appendpipe [| where like(name,"total%") | eval name="total all" | stats sum(sum) as sum by name]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
THE CODE YOU HAVE WRITTEN IS CORRECT AND IT IS WORKING FINE.
I will extend this problem, Suppose we have a drop-down in dashboard having three option,1- total all,2-total-(.im) 3- total-(.in).So if we select option -1 then It should display all the individual team ,total(im),total(in),total.
if we select option -2 then it should display only (.im) teams and total(.im) and similarly if we select 3 option,it should display all (.in) team and total(.in).
Can we implement this using only one search?
I have used three search for that but want to implement it using only one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can. Your dropdown token value should be
1. * for option 1 - total all
2. *(im)* for option 2- 2-total-(.im)
3. *(in)* for option 2- 2-total-(.in)
And your search should be this
your current search giving field name and sum
| appendpipe [| where like(name,"%.im") | eval name="total (.im)" | stats sum(sum) as sum by name]
| appendpipe [| where like(name,"%.in") | eval name="total (.in)" | stats sum(sum) as sum by name]
| appendpipe [| where like(name,"total%") | eval name="total all" | stats sum(sum) as sum by name]
| search name="$DropdownTokenName$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah ,It is working fine.
Thanks
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
