Splunk Search

How to sum values from specific rows to then display in pie graph

Engager

Hey guys,

I'm trying to add the values that correspond to specific rows in a search, to then display on a dashboard (graph/pie graph).

For example, I have a table that returns as below:

Scenario count
"C2C Scenario 1" 1
"C2C Scenario 2" 2
"C2C Scenario 3" 3
"C2C Scenario 4N" 4
"C2C Scenario 4Y" 5
"C2C Scenario 5" 6
"C2C Scenario 6" 10

The above is currently returned using the below
index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario

I want to have a sum of the count
"C2C Scenario 2" + "C2C Scenario 4Y" + "C2C Scenario 5" as "POSITIVE"
"C2C Scenario 1" + "C2C Scenario 3" + C2C Scenario 4N" + "C2C Scenario 6" as "NEGATIVE"

So end outcome would be a table that is

Scenario sum
POSITIVE 11
NEGATIVE 18

The plan will then be to display the above in a pie graph.

Any help would be greatly appreciated! Thanks again. Loving getting into this stuff but starting off a little slow.

0 Karma

SplunkTrust
SplunkTrust

@hamishcross,

If you dont have any common field to join them, you may try

index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" 
 | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario
 | stats sum(eval(if(Scenario=="C2C Scenario 2" OR Scenario=="C2C Scenario 4Y" OR Scenario=="C2C Scenario 5",count,null()))) as POSITIVE,
   sum(eval(if(Scenario=="C2C Scenario 1" OR Scenario=="C2C Scenario 3" OR Scenario=="C2C Scenario 4N" OR Scenario=="C2C Scenario 6",count,null()))) as NEGATIVE
0 Karma

Engager

I'm pretty sure you're missing a stats ahead of the sum?

0 Karma

SplunkTrust
SplunkTrust

ofcourse 🙂 , updated

0 Karma