Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use an addcoltotals result for eval?

splunkreal
Motivator
‎07-20-2016 09:36 AM

Hello dear Splunk experts 🙂

I have this in my search: 

addcoltotals labelfield=fieldtosum label=TOTAL

However I would like to reuse the result of it like fieldtosum/TOTAL, how to do?

Example attached.

alt text

Thanks.

* If this helps, please upvote or accept solution if it solved *
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-20-2016 09:42 AM

Try like this

your current search | eventstats sum(fieldtosum) as TOTAL | addcoltotals labelfield=fieldtosum label=TOTAL | eval  fieldtosum=fieldtosum/TOTAL

View solution in original post

Reply
Solved! Jump to solution

splunkreal
Motivator
‎07-21-2016 06:59 AM

Here is the search :

| multisearch [ search index="xxx" sourcetype="XXX_Search" | where NB_Result = 0 | rename NB_Result as SZERO ] [ search index="xxx" sourcetype="XXX_Search" | where NB_Result > 1 ] | stats count(AZERO) as totalsearch, count (SZERO) as totalfailed by Result | eval wresult=round(totalfailed/(totalfailed+totalsearch)*100,0) | eval ctotal=totalfailed+totalsearch | eval Searches=case(Result="null","Something", Result="YES","Yes",Result="NEAR","Near") | eventstats sum(Searches) as totalr | table Searches,totalsearch,totalfailed, ctotal, wresult, totalr

Field totalr is empty however totalr is not empty if I use eventstats sum(wresult) as totalr

So is it a problem with case?

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-21-2016 07:30 AM

This is very helpful but I need to see the actual output, too, (which is what I was asking to see before). What I mean is that you obviously don't have field names A, B, and C. Your search shows that you should have 5 fields. Show your output as it really is (good and bad).

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-20-2016 03:02 PM

Your picture does not match your search. Type it in and get the field names correct.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-20-2016 09:42 AM

Try like this

your current search | eventstats sum(fieldtosum) as TOTAL | addcoltotals labelfield=fieldtosum label=TOTAL | eval  fieldtosum=fieldtosum/TOTAL
Reply
Solved! Jump to solution

splunkreal
Motivator
‎07-22-2016 01:27 AM

It works!

I was using the wrong fieldtosum : it's ok with eventstats sum(totalsearch) as totalr

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...