Splunk Search

Summarize field by specific field

WesleyFranklin
Explorer

Hey All,

I'm trying to accomplish a search here that seems so simple but I got stucked. I have this one where give me all Origination who made a call, good so far:

sourcetype=xyz Dur>0  OTG=* Int_DTG=Brazil
| top route_name, OTG limit=0 

I got all customers that called to Brazil, here I got 100 events on statistics area but grouped as:

OTG | Count

the count here is how many times the OTG made the call.

Sample:

OTG - Wesley Franklin | Count 40 calls
OTG - Jhon | Count 60

The total here is 100. I just want to made count/summ of all Count by OTG field that shows me a simple math as 100

Sorry if it's no clear I will really appreciate your patience and time.

Thank you so much.

Tags (1)
0 Karma

woodcock
Esteemed Legend

So skip the top and do this:

sourcetype=Brazil Dur>0 dn=026*
| stats count BY OTG
| sort 0 - count
| addtotals row=f col=t
| fillnull value="TOTAL"
0 Karma

macadminrohit
Contributor

how do you use makeresults command to generate this kind of sample eventset. I want to try this on my system

0 Karma

WesleyFranklin
Explorer

Hey,
Maybe I haven't explained it correctly, let's break it down:

So my current search it's:

sourcetype=Brazil Dur>0 dn=026*
| top OTG limit=0
| fields - percent

Well, here I will get: All customers from Brazil that are calling using dialed number 026 (at the beginning, dn field) and its source by OTG field then I got something like:

| OTG     | count | 
| Wesley  | 50 calls
| Jhon    | 50 calls

Where: OTG stands for Origination customer.

I'm getting 2differents OTG here I'd like to count it like:

| OTG |
| 10  |

Sorry if what I put firstly isn't that.

Thank you in advance.

0 Karma

Richfez
SplunkTrust
SplunkTrust

If I read your question correctly, simply add to the end of your search

...
| addcoltotals

That might do what you want. If it doesn't, please provide the search you use and a sample event or two so that we have a better idea of what you have now.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...