I can not figure out how to get the sum of all the information at the top without changing the other fields around. I really just want a sum, but i can not seem to get the stats sum function to work.
|top limit=0 app_id app_name | fields + count, total_count, percent,app_name, app_id | accum count AS total_count | rename total_count AS "Total Count" app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"
Any help would be appreciated, i am just not sure where to go from here i just need a total of all not necessarily a running total
So, you want a count split by app_id and app_name, plus a total count, with that count at the top?
How about
... | stats count as "Total Count" | append [search ... | top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]
Thank you for trying, i dont know why i am not getting the same results
So, you want a count split by app_id and app_name, plus a total count, with that count at the top?
How about
... | stats count as "Total Count" | append [search ... | top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]
In that case I'm afraid I can't help you more without understanding your requirement and how it is not being met. In my environment when I issue a very similar query I get a row with a "Total count" in the first column, followed by a number of rows containing the statistics generated by top
.
I do want a total count feild that populates how many events are generated from our system. I dont understand how i am not seeing any other fields but a total count when i add the stat function. I just wanted to add the total field to what i had originally. I can not take screenshots here.
I think you need to post screenshots and more details if we're to have any chance of understanding what you want. I thought I understood, but it seems I was wrong. You said previously that you wanted a total count at the top, but now you're saying that you want to add it to other fields (what fields? where?). It gives you a total count (wasn't that what you wanted?) and takes other fields away (how? are you not seeing any other rows than the one with the total count?)
Thank you, I wanted to add the total count to the other fields that were in there and it doesnt seem to want to let me do that. it takes all the other fields away and just gives me a count total instead of adding to the chart that i already have.
Ah, sorry, my bad - I seem to have left out a "rename" after the last pipe in my search.
index=hik sourcetype="MainframeApps" | stats count as "Total Count" | append [search index=hik sourcetype="MainframeApps"| top limit=0 app_id app_name | rename app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]
index=hik sourcetype="MainframeApps" | stats count as "Total Count" | append [search index=hik sourcetype="MainframeApps"| top limit=0 app_id app_name | app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"]
You should be getting a total number of events if you issue the search correctly. Could you show the complete search that you're using now?
maybe i am just wording it wrong. I just want a total number of events and i can not get it. with your code i get search operation 'app' is unknown
So, does my answer satisfy that requirement?
I was a total count field that will either display one number of all the events, or a running total that will display the total at the top instead of the bottom.