Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Renaming field value for totals
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all, currently I'm using a search which returns results similar to this for each event I.E March April May etc..., where the second occurrence of march in this case gives me the totals for install and MM.
I was wondering if there was anyway that i set up up my search so that the second occurence of the group name will read as "totals" or something similar.
Here is the part of my search that gives me this table format, and as always thank you for the help.
| table Group, Bundle, Installs, Build, MM, |appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group ] |sort Group
Group Bundle Installs MM
March 1a 3 50
2a 2 20
3a 5 10
March 10 80
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
| table Group, Bundle, Installs, Build, MM, | sort Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Group="Totals" ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
| table Group, Bundle, Installs, Build, MM, | sort Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Group="Totals" ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does work, however it renames every field under group I would like to limit it to only renaming the second occurrence of that field value so for example turning this -
Group Bundle Installs MM
March 1a 3 50
2a 2 20
3a 5 10
March 10 80
Into this
Group Bundle Installs MM
March 1a 3 50
2a 2 20
3a 5 10
Totals 10 80
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Every Group value said "Totals"? Did you do perform the eval inside the appendpipe only? If sorting is just being lost, we can preserve its "real" group by creating another field using eval and then sorting on that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry yes it did work, It just slipped my mind to put the command into the appendpipe, and for the sorting issue you mean basically leaving the "Real" group in the background so it can sort by that but display the "Totals" label?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, exactly. I think it'd look something like this for your search:
| table Group, Bundle, Installs, Build, MM, | eval Sorter=Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Sorter=Group | eval Group="Totals" ] | sort -Sorter | fields - Sorter
The sort should stay in place since we are removing the Sorter field after it has already been applied by the sort command.
Either way, let me know how you make out. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked wonderfully, thank you!
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
