I am trying to get a running total for the number of events field. I can not get a column that adds up every 'number of events' or a running total anywhere at the bottom. Any Suggestions??
Heres my search:
*- fields + app_name, app_id |top app_id app_name |rename app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"
From the docs on accum
:
accum
Keeps a running total of a specified numeric field.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Accum
From the docs on accum
:
accum
Keeps a running total of a specified numeric field.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Accum
Nice! Another command that I wasn't previously aware existed 🙂
Just as a suggestion, this search does a count for events with two distinct values, adds them together, and has the total as a new column.
| stats count(eval(product="abc")) AS abc_count, count(eval(product="xyz")) AS xyz_count by product | eval total_products=abc_count+xyz_count | sort -total_products
Sorry if this isn't what you're looking for, but hopefully it helps in some way.
Also you might want to remove the regex tag.. I don't think this has much to do with regular expressions 😉
Sorry about that, i am not sure how that got there.
so there is no way to just add a field that will give me a running total for all the events that I am searching for. When i add the sum feature it just takes me to a different screen and then gives me a total instead of having all the information listed and totaling in a different field. Thank you for your help, just having a hard time getting it to work.
yes, but it does not add a seperate column that just has the total of all the counts
so you need to use a | stats sum(count) ?
They are existing fields, I need a total of the top events. Not just each individual event
What about the part that generates the statistics? (the count and percent part) unless they are existing fields?
Just a portion of it.. I left off the index and the sourcetype because i didnt think it would be needed.
+1 Ayn, you'll need to copy and paste your whole search directly if you want any useful help.
I doubt that is really your search. Did you paste the whole search or just portions of it?
any help would be appreachated