Splunk Search

Reverse running total/ sum needed

Michael_Schyma1
Contributor

I can not figure out how to get the sum of all the information at the top without changing the other fields around. I really just want a sum, but i can not seem to get the stats sum function to work.
|top limit=0 app_id app_name | fields + count, total_count, percent,app_name, app_id | accum count AS total_count | rename total_count AS "Total Count" app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"

Any help would be appreciated, i am just not sure where to go from here i just need a total of all not necessarily a running total

Tags (1)
0 Karma
1 Solution

Ayn
Legend

So, you want a count split by app_id and app_name, plus a total count, with that count at the top?

How about

... | stats count as "Total Count" | append [search ... | top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]

View solution in original post

0 Karma

Michael_Schyma1
Contributor

Thank you for trying, i dont know why i am not getting the same results

0 Karma

Ayn
Legend

So, you want a count split by app_id and app_name, plus a total count, with that count at the top?

How about

... | stats count as "Total Count" | append [search ... | top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]
0 Karma

Ayn
Legend

In that case I'm afraid I can't help you more without understanding your requirement and how it is not being met. In my environment when I issue a very similar query I get a row with a "Total count" in the first column, followed by a number of rows containing the statistics generated by top.

Michael_Schyma1
Contributor

I do want a total count feild that populates how many events are generated from our system. I dont understand how i am not seeing any other fields but a total count when i add the stat function. I just wanted to add the total field to what i had originally. I can not take screenshots here.

0 Karma

Ayn
Legend

I think you need to post screenshots and more details if we're to have any chance of understanding what you want. I thought I understood, but it seems I was wrong. You said previously that you wanted a total count at the top, but now you're saying that you want to add it to other fields (what fields? where?). It gives you a total count (wasn't that what you wanted?) and takes other fields away (how? are you not seeing any other rows than the one with the total count?)

0 Karma

Michael_Schyma1
Contributor

Thank you, I wanted to add the total count to the other fields that were in there and it doesnt seem to want to let me do that. it takes all the other fields away and just gives me a count total instead of adding to the chart that i already have.

0 Karma

Ayn
Legend

Ah, sorry, my bad - I seem to have left out a "rename" after the last pipe in my search.

index=hik sourcetype="MainframeApps" | stats count as "Total Count" | append [search index=hik sourcetype="MainframeApps"| top limit=0 app_id app_name | rename app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]
0 Karma

Michael_Schyma1
Contributor

index=hik sourcetype="MainframeApps" | stats count as "Total Count" | append [search index=hik sourcetype="MainframeApps"| top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]

0 Karma

Ayn
Legend

You should be getting a total number of events if you issue the search correctly. Could you show the complete search that you're using now?

0 Karma

Michael_Schyma1
Contributor

maybe i am just wording it wrong. I just want a total number of events and i can not get it. with your code i get search operation 'app' is unknown

0 Karma

Ayn
Legend

So, does my answer satisfy that requirement?

0 Karma

Michael_Schyma1
Contributor

I was a total count field that will either display one number of all the events, or a running total that will display the total at the top instead of the bottom.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...