Solved: How to get total for line count then subtotal for ...

jaj · ‎12-03-2013

Hi - Very new to splunk.

I have the following query that gives me total count for a specific log:

LOGGING string:
"log msg: stuff="

from this query I can get total by matching "log msg":

source=*/logs/stdout.log classname=Log "log msg" | stats count

However, I want to get that count as well the count for "stuff" where stuff=""

How can I modify the query above to get the total count for "log msg" and total count where stuff is empty string...(as a next ask possibly display in a stacked bar chart?) But raw data is fine for now.

somesoni2 · ‎12-03-2013

Try following

source=*/logs/stdout.log classname=Log "log msg" | stats count , count(eval(stuff=""))

View solution in original post

somesoni2 · ‎12-03-2013

Try following

source=*/logs/stdout.log classname=Log "log msg" | stats count , count(eval(stuff=""))

jaj · ‎12-03-2013

awesome, thanks!

How to get total for line count then subtotal for another field in the same query?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation