Solved: Re: Manipulating a Table

KarunK · ‎09-14-2014

Hi All,

I have a following table. Total is the sum of the cost of items by country using eventstats.

   Country      Items   cost    Total
    US      pen     3       6
    US      pencil  2       6
    US      paper   1       6
    UK      pen     6       12
    UK      pencil  3       12
    UK      paper   3       12
    HK      pen     4       7.5
    HK      pencil  2.5     7.5
    HK      paper   1       7.5

I need to modify the table to look like below.

Country Items   cost    Total
US  pen 3   6
    pencil  2   
    paper   1   
UK  pen 6   12
    pencil  3   
    paper   3   
HK  pen 4   7.5
    pencil  2.5 
    paper   1

I have played around with stats values function but of no use. Any ideas ???

Thanks in Advance.

KK

MuS · ‎09-15-2014

Hi KarunK,

take this run everywhere example and adapt it to your needs:

index=_internal sourcetype=splunkd 
| eventstats count AS myCount by series 
| stats list(series) AS series list(myCount) AS count sum(myCount) AS total by sourcetype

This will return something similar to your target.

hope this helps...

cheers, MuS

View solution in original post

MuS · ‎09-15-2014

Hi KarunK,

take this run everywhere example and adapt it to your needs:

index=_internal sourcetype=splunkd 
| eventstats count AS myCount by series 
| stats list(series) AS series list(myCount) AS count sum(myCount) AS total by sourcetype

This will return something similar to your target.

hope this helps...

cheers, MuS

MuS · ‎09-18-2014

Use list instead of values in that case 😉

KarunK · ‎09-21-2014

Great !!! Issue resolved....
Thanks Mate ...

MuS · ‎09-21-2014

please mark this as answered, thx

KarunK · ‎09-18-2014

Values wont work as it show only the unique value. I want to show all values.

Thanks for your thoughts !!!

KKN

Manipulating a Table

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life