- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subtotals over columns generated by timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following search query:
source=*Src some_filtering | ... | timechart span=5m max(ActCnt) by source
that produces results like:
time c:\log1 c:\log2 c:\log3 c:\file1 c:\file2
2014-07-03 00:00:00 2
2014-07-03 00:05:00 2 4 2 4
2014-07-03 00:10:00 1 6 2 2 2
2014-07-03 00:15:00 1
2014-07-03 00:20:00 1
My goal is to get the subtotals by columns from sources log* and file*.
As result I would need just something like this:
time LOG FILE
2014-07-03 00:00:00 2
2014-07-03 00:05:00 8 4
2014-07-03 00:10:00 9 4
2014-07-03 00:15:00 1
2014-07-03 00:20:00 1
I tried to summarize columns after timechart command using | addcoltotals and | foreach but looks like addressing auto-generated fields (that match to my log source names) isn't possible after timechart.
I cannot use sum over ActCnt field, because that would also summarize values that appear in one log (e.g. c:\log1). My goal is to get subtotals over different logs.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (assuming 'LOG' represent sources with string "log" in the name and 'FILE' represents sources with string "file" in the name)
source=*Src some_filtering | ... | timechart span=5m max(ActCnt) by source | addtotals fieldname=LOG *log* | addtotals fieldname=FILE *file* | table _time LOG FILE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this (assuming 'LOG' represent sources with string "log" in the name and 'FILE' represents sources with string "file" in the name)
source=*Src some_filtering | ... | timechart span=5m max(ActCnt) by source | addtotals fieldname=LOG *log* | addtotals fieldname=FILE *file* | table _time LOG FILE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, found a mistake in my query. Now all results are CORRECT! Marking the answer as accepted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. It does display some subtotals. However, after comparison total numbers with not aggregated results I see differences. Will dig into that.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
