Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the difference in total and Total?

emilynicole73
Engager
‎07-23-2019 05:00 AM

index="YOURINDEX" |stats count by domain, id.orig_h | sort -count |stats list(domain) as Domain, list(count) as count sum(count) as Total by id.orig_h |sort -total | head 10

So if I change Total to total, I get different results. Which one would be the correct?

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-23-2019 06:35 AM

'Total' and 'total' are completely different fields. They cannot be used interchangeably. 'Total' is one result produced by the second stats command. 'total' is null as it not a result from stats. You probably want 'Total'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dmarling
Builder
‎07-23-2019 06:13 AM

You are getting different results because you are applying a sort to a nonexistent field when Total is capitalized and then doing a head 10. The sort is not being applied with a capital "Total" field so you get a different first 10 results with a head 10 than when you sort in descending order with a lower case total. There is nothing wrong or right here, it's just a mistake in your query due to case sensitivity of field names in Splunk.

It would match if you made it this:

index="YOURINDEX" |stats count by domain, id.orig_h | sort -count |stats list(domain) as Domain, list(count) as count sum(count) as Total by id.orig_h |sort -Total | head 10

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

vnravikumar
Champion
‎07-23-2019 06:10 AM

Hi

Field names are always case sensitive, please check.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...