Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Summary stats for a search

lehrfeld
Path Finder
‎12-12-2013 06:27 AM

Hi All - I'm working on creating a summary report and I am having difficulty discerning the various addtotals or addcoltotals commands to get Splunk to yield to my bidding. Here is what I have so far ...

location campID Clickers
cityA 1 20
cityA 2 10
cityA 3 5
cityB 1 15
cityB 2 25
cityC 4 7
... ..

sourcetype=phishing_clickers
| lookup lookup.csv identity as userID OUTPUT bunit as location
| stats count(userID) as Clickers by location, campID
| addColtotals

I would like to be able to sum each location's total Clicker amount. So something like this ...

location campID Clickers Total_Clicks
cityA 1 20
cityA 2 10
cityA 3 5
35
cityB 1 15
cityB 2 25
40
cityC 4 7
7
... ..

Thank you!!

Mike

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-12-2013 09:08 AM

First, I am not sure that you are getting the data you expect, As you show it "Clickers" should probably be labelled "Clicks" - your name implies that this is the number of people clicking, not the number of clicks. If you want the unique count for userID, then use distinct_count(userID) not count(userID). Very different.

But try this, changing back to count if that is really what you want,..

sourcetype=phishing_clickers
| lookup lookup.csv identity as userID OUTPUT bunit as location
| stats distinct_count(userID) as Clickers by location, campID
| appendpipe [stats sum(Clickers) as TotalClickers by location | eval campID = "Total"]
| sort location

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-12-2013 09:08 AM

First, I am not sure that you are getting the data you expect, As you show it "Clickers" should probably be labelled "Clicks" - your name implies that this is the number of people clicking, not the number of clicks. If you want the unique count for userID, then use distinct_count(userID) not count(userID). Very different.

But try this, changing back to count if that is really what you want,..

sourcetype=phishing_clickers
| lookup lookup.csv identity as userID OUTPUT bunit as location
| stats distinct_count(userID) as Clickers by location, campID
| appendpipe [stats sum(Clickers) as TotalClickers by location | eval campID = "Total"]
| sort location
0 Karma
Reply
Solved! Jump to solution

lehrfeld
Path Finder
‎12-12-2013 09:24 AM

Thank you! You are correct in your evaluation of the count Vs. distinct_count. However,in our shop the context is correct (these are not web logs, they have already been parsed partially before I get them in Splunk). My error in not defining the problem's scope properly.

I love that appendpipe command. Thank you! Mike

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Ready to make your IT operations smarter and more efficient? Discover how to automate Splunk alerts with Red ...