Splunk Search
Highlighted

How to use an addcoltotals result for eval?

Builder

Hello dear Splunk experts 🙂

I have this in my search:

addcoltotals labelfield=fieldtosum label=TOTAL

However I would like to reuse the result of it like fieldtosum/TOTAL, how to do?

Example attached.

alt text

Thanks.

0 Karma
Highlighted

Re: How to use an addcoltotals result for eval?

SplunkTrust
SplunkTrust

Try like this

your current search | eventstats sum(fieldtosum) as TOTAL | addcoltotals labelfield=fieldtosum label=TOTAL | eval  fieldtosum=fieldtosum/TOTAL

View solution in original post

Highlighted

Re: How to use an addcoltotals result for eval?

Builder

It works!

I was using the wrong fieldtosum : it's ok with eventstats sum(totalsearch) as totalr

0 Karma
Highlighted

Re: How to use an addcoltotals result for eval?

Esteemed Legend

Your picture does not match your search. Type it in and get the field names correct.

0 Karma
Highlighted

Re: How to use an addcoltotals result for eval?

Builder

Here is the search :

| multisearch [ search index="xxx" sourcetype="XXX_Search" | where NB_Result = 0 | rename NB_Result as SZERO ] [ search index="xxx" sourcetype="XXX_Search" | where NB_Result > 1 ] | stats count(AZERO) as totalsearch, count (SZERO) as totalfailed by Result | eval wresult=round(totalfailed/(totalfailed+totalsearch)*100,0) | eval ctotal=totalfailed+totalsearch | eval Searches=case(Result="null","Something", Result="YES","Yes",Result="NEAR","Near") | eventstats sum(Searches) as totalr | table Searches,totalsearch,totalfailed, ctotal, wresult, totalr

Field totalr is empty however totalr is not empty if I use eventstats sum(wresult) as totalr

So is it a problem with case?

Thanks.

0 Karma
Highlighted

Re: How to use an addcoltotals result for eval?

Esteemed Legend

This is very helpful but I need to see the actual output, too, (which is what I was asking to see before). What I mean is that you obviously don't have field names A, B, and C. Your search shows that you should have 5 fields. Show your output as it really is (good and bad).

0 Karma