Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Summing of row in a column on condition

vinay_ks04
New Member
‎01-27-2014 10:30 PM

I have three columns

ColumnA     ColumnB     ColumnC
vin          1            1
vin          1            2 
vin          2            3
kum          1            1
kum          1            2
kum          2            3

I wanted sum columnc and find out the percentage by ColumnA

ColumnA     ColumnB     ColumnC     "Totalof Columnc by Site" Percentage
vin          1            3              6                       50
             2            3              6                       50
kum          1            3              6                       50
             2            3              6                       50
Tags (1)
0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎01-27-2014 10:44 PM

Based on your result, it looks like you want to add something like this to the end of your search:

| stats sum(ColumnC) as "Total of ColumnC by Site" by ColumnA, ColumnB | eventstats sum(ColumnC) as OverallColumnCTotal | eval Percentage = round("Total of ColumnC by Site" / OverallColumnCTotal * 100,0) | table ColumnA ColumnB ColumnC "Total of ColumnC by Site" Percentage

Does that match what you're looking for?

0 Karma
Reply

vinay_ks04
New Member
‎01-27-2014 11:57 PM

Thanks a lot 🙂
I have added extra columnname in stats, below is my query.

index="autolab_prod" sourcetype="Percentage_Usage_Config" | stats sum(taskcount) as TOTAL_Task by Site ConfigID CONFIG | eventstats sum(TOTAL_Task) as SiteTotal by Site | eval percent=round(100*TOTAL_Task/SiteTotal,0) | stats list(ConfigID) AS "CONFIG ID", list(CONFIG) AS CONFIGNAME, list(TOTAL_Task) AS "TASK_TOTAL", list(SiteTotal) AS TASK_TOTAL_COUNT, list(percent) as PERCENTAGE by Site

0 Karma
Reply

vinay_ks04
New Member
‎01-27-2014 11:28 PM

thank you,
yes, but I am not able to add one more column.

0 Karma
Reply

lguinn2
Legend
‎01-27-2014 10:43 PM

Try this

yoursearchhere
| stats sum(ColumnC) as CTotal by ColumnA ColumnB  
| eventstats sum(CTotal) as SiteTotal by ColumnA
| eval Percentage = round(CTotal*100/SiteTotal,0)
0 Karma
Reply

lguinn2
Legend
‎01-29-2014 11:39 PM

After the stats command, your search pipeline no longer has any fields except the ones that are the result of the command: TOTAL_Task Site and ConfigID

So if you want the CONFIG to be included, you will have to include it in the by clause of the stats command.

0 Karma
Reply

vinay_ks04
New Member
‎01-27-2014 11:19 PM

Thanks a lot it is working.......

I am adding one more column to just print the value which is there in the log, but it is not printing.
I am using "list(Config) As "Config Name"

index="autolab_prod" sourcetype="Percentage_Usage_Config" | stats sum(taskcount) as TOTAL_Task by Site ConfigID | eventstats sum(TOTAL_Task) as SiteTotal by Site | eval percent=round(100*TOTAL_Task/SiteTotal,0) | stats list(ConfigID) AS "CONFIG ID", list(CONFIG) AS "CONFIG NAME", list(TOTAL_Task) AS "TOTAL_Task", list(SiteTotal) AS SiteTotal, list(percent) as PERCENTAGE by Site

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...