Splunk Search

How to sum values from specific rows to then display in pie graph

hamishcross
Engager

Hey guys,

I'm trying to add the values that correspond to specific rows in a search, to then display on a dashboard (graph/pie graph).

For example, I have a table that returns as below:

Scenario count
"C2C Scenario 1" 1
"C2C Scenario 2" 2
"C2C Scenario 3" 3
"C2C Scenario 4N" 4
"C2C Scenario 4Y" 5
"C2C Scenario 5" 6
"C2C Scenario 6" 10

The above is currently returned using the below
index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario

I want to have a sum of the count
"C2C Scenario 2" + "C2C Scenario 4Y" + "C2C Scenario 5" as "POSITIVE"
"C2C Scenario 1" + "C2C Scenario 3" + C2C Scenario 4N" + "C2C Scenario 6" as "NEGATIVE"

So end outcome would be a table that is

Scenario sum
POSITIVE 11
NEGATIVE 18

The plan will then be to display the above in a pie graph.

Any help would be greatly appreciated! Thanks again. Loving getting into this stuff but starting off a little slow.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@hamishcross,

If you dont have any common field to join them, you may try

index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" 
 | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario
 | stats sum(eval(if(Scenario=="C2C Scenario 2" OR Scenario=="C2C Scenario 4Y" OR Scenario=="C2C Scenario 5",count,null()))) as POSITIVE,
   sum(eval(if(Scenario=="C2C Scenario 1" OR Scenario=="C2C Scenario 3" OR Scenario=="C2C Scenario 4N" OR Scenario=="C2C Scenario 6",count,null()))) as NEGATIVE
0 Karma

hamishcross
Engager

I'm pretty sure you're missing a stats ahead of the sum?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

ofcourse 🙂 , updated

0 Karma