Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to specify a particular aggregate value in query for Single Value Visualization Chart?

jaj
Path Finder
‎01-19-2019 11:35 AM

how do i specify a particular value to be displayed in single value visualization chart? i only want the totalCount (success+errors) to display as the single value in the chart:

index=nonprod_applogs source="*test.log*" ("purchase success")  OR ("purchase failed") | 
dedup requestMarker | 
stats count(eval(searchmatch("purchase success"))) as successCount 
      count(eval(searchmatch("purchase failed"))) as errorCount |
eval totalCount = successCount + errorCount
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-19-2019 12:14 PM

@jaj why not try just | stats count as totalCount? You have already filtered the required events:

index=nonprod_applogs source="*test.log*" ("purchase success")  OR ("purchase failed") 
| dedup requestMarker
| stats count as totalCount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-19-2019 12:14 PM

@jaj why not try just | stats count as totalCount? You have already filtered the required events:

index=nonprod_applogs source="*test.log*" ("purchase success")  OR ("purchase failed") 
| dedup requestMarker
| stats count as totalCount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

jaj
Path Finder
‎01-19-2019 12:21 PM

@niketnilay dang yes very true for totalCount thank you :bow:

0 Karma
Reply
Solved! Jump to solution

dkeck
Influencer
‎01-19-2019 11:40 AM

HI,

I want to rewrite my previous answer:

try this. either add to your XML code on your dashboard the option field have a look at the link under "single value"

https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/PanelreferenceforSimplifiedXML#single_value

or use the SPL command | fields totalCount within your single value search on the dashboard

Reply
Solved! Jump to solution

jaj
Path Finder
‎01-19-2019 11:45 AM

hi @dkeck! i appended that to the end of the query but it's only displaying "1"

0 Karma
Reply
Solved! Jump to solution

dkeck
Influencer
‎01-19-2019 11:54 AM

updated my answer 🙂

0 Karma
Reply
Solved! Jump to solution

jaj
Path Finder
‎01-19-2019 12:22 PM

@dkeck cool thanks for the amended response! :thumbsup:

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...