Splunk Search

calculate the total value for each field value classification

pipipipi
Path Finder

Hi all.

I want to calculate the total value for each field value classification.

index=test1
|rex field="test2" (?<year>\d\d\d\d)/
|rex field="test2" /(?<month>\d+)/
|eval date=case(year==2020 AND month==2, "2020/02", year==2020 AND month==1, "2020/01", year==2019 AND month==12, "2019/12")
|search date=2020/02
|stats count by date place description

Splunk return this.

    date    place     description    count
    2020/02   A     OK                3
    2020/02   A     NG                2
    2020/02   A     None              1
    2020/02   B     OK                3
    2020/02   B     NG                2
    2020/02   B     None              1
    2020/02   C     OK                3
    2020/02   C     NG                2
    2020/02   C     None              1

I want to calculate the total value for each place field values.

date    place description count Total
2020/02 A     OK             3
2020/02       NG             2
2020/02       None           1     6
2020/02 B     OK             3
2020/02       NG             1
2020/02       None           1     5
2020/02 C     OK             4
2020/02       NG             2
2020/02       None           1     7

I have no idea to use which fields.
(I tired |stats list(description) by date place but I have no idea to count....)
(description has many field values such as OK NG NOne NOT BAD etc....)

Is there any way to return this results?

Thank you for helping me.

0 Karma
1 Solution

HiroshiSatoh
Champion

If you want to show all fields

index=test1
 |rex field="test2" (?<year>\d\d\d\d)/
 |rex field="test2" /(?<month>\d+)/
 |eval date=case(year==2020 AND month==2, "2020/02", year==2020 AND month==1, "2020/01", year==2019 AND month==12, "2019/12")
 |search date=2020/02
 |stats count by date place description
 |eventstats  sum(count) as Total by  date ,place 

View solution in original post

0 Karma

HiroshiSatoh
Champion

If you want to show all fields

index=test1
 |rex field="test2" (?<year>\d\d\d\d)/
 |rex field="test2" /(?<month>\d+)/
 |eval date=case(year==2020 AND month==2, "2020/02", year==2020 AND month==1, "2020/01", year==2019 AND month==12, "2019/12")
 |search date=2020/02
 |stats count by date place description
 |eventstats  sum(count) as Total by  date ,place 
0 Karma

pipipipi
Path Finder

Thank you,

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...