Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subtotals over columns generated by timechart

takemusu
Explorer
‎07-03-2014 03:23 AM

I have the following search query:

source=*Src some_filtering | ... | timechart span=5m max(ActCnt) by source

that produces results like:

time c:\log1 c:\log2 c:\log3 c:\file1 c:\file2
2014-07-03 00:00:00 2
2014-07-03 00:05:00 2 4 2 4
2014-07-03 00:10:00 1 6 2 2 2
2014-07-03 00:15:00 1
2014-07-03 00:20:00 1

My goal is to get the subtotals by columns from sources log* and file*.
As result I would need just something like this:
time LOG FILE
2014-07-03 00:00:00 2
2014-07-03 00:05:00 8 4
2014-07-03 00:10:00 9 4
2014-07-03 00:15:00 1
2014-07-03 00:20:00 1

I tried to summarize columns after timechart command using | addcoltotals and | foreach but looks like addressing auto-generated fields (that match to my log source names) isn't possible after timechart.
I cannot use sum over ActCnt field, because that would also summarize values that appear in one log (e.g. c:\log1). My goal is to get subtotals over different logs.

Thanks in advance.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-03-2014 06:48 AM

Try something like this (assuming 'LOG' represent sources with string "log" in the name and 'FILE' represents sources with string "file" in the name)

source=*Src some_filtering | ... | timechart span=5m max(ActCnt) by source | addtotals fieldname=LOG *log* |  addtotals fieldname=FILE *file* | table _time LOG FILE

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-03-2014 06:48 AM

Try something like this (assuming 'LOG' represent sources with string "log" in the name and 'FILE' represents sources with string "file" in the name)

source=*Src some_filtering | ... | timechart span=5m max(ActCnt) by source | addtotals fieldname=LOG *log* |  addtotals fieldname=FILE *file* | table _time LOG FILE
Reply
Solved! Jump to solution

takemusu
Explorer
‎07-03-2014 10:45 PM

Actually, found a mistake in my query. Now all results are CORRECT! Marking the answer as accepted.

0 Karma
Reply
Solved! Jump to solution

takemusu
Explorer
‎07-03-2014 10:39 PM

Thank you. It does display some subtotals. However, after comparison total numbers with not aggregated results I see differences. Will dig into that.

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...