Splunk Search

How to sum values from specific rows to then display in pie graph

hamishcross
Engager

Hey guys,

I'm trying to add the values that correspond to specific rows in a search, to then display on a dashboard (graph/pie graph).

For example, I have a table that returns as below:

Scenario count
"C2C Scenario 1" 1
"C2C Scenario 2" 2
"C2C Scenario 3" 3
"C2C Scenario 4N" 4
"C2C Scenario 4Y" 5
"C2C Scenario 5" 6
"C2C Scenario 6" 10

The above is currently returned using the below
index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario

I want to have a sum of the count
"C2C Scenario 2" + "C2C Scenario 4Y" + "C2C Scenario 5" as "POSITIVE"
"C2C Scenario 1" + "C2C Scenario 3" + C2C Scenario 4N" + "C2C Scenario 6" as "NEGATIVE"

So end outcome would be a table that is

Scenario sum
POSITIVE 11
NEGATIVE 18

The plan will then be to display the above in a pie graph.

Any help would be greatly appreciated! Thanks again. Loving getting into this stuff but starting off a little slow.

0 Karma

renjith_nair
Legend

@hamishcross,

If you dont have any common field to join them, you may try

index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" 
 | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario
 | stats sum(eval(if(Scenario=="C2C Scenario 2" OR Scenario=="C2C Scenario 4Y" OR Scenario=="C2C Scenario 5",count,null()))) as POSITIVE,
   sum(eval(if(Scenario=="C2C Scenario 1" OR Scenario=="C2C Scenario 3" OR Scenario=="C2C Scenario 4N" OR Scenario=="C2C Scenario 6",count,null()))) as NEGATIVE
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

hamishcross
Engager

I'm pretty sure you're missing a stats ahead of the sum?

0 Karma

renjith_nair
Legend

ofcourse 🙂 , updated

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...