Splunk Search

calculate the total value for each field value classification

pipipipi
Path Finder

Hi all.

I want to calculate the total value for each field value classification.

index=test1
|rex field="test2" (?<year>\d\d\d\d)/
|rex field="test2" /(?<month>\d+)/
|eval date=case(year==2020 AND month==2, "2020/02", year==2020 AND month==1, "2020/01", year==2019 AND month==12, "2019/12")
|search date=2020/02
|stats count by date place description

Splunk return this.

    date    place     description    count
    2020/02   A     OK                3
    2020/02   A     NG                2
    2020/02   A     None              1
    2020/02   B     OK                3
    2020/02   B     NG                2
    2020/02   B     None              1
    2020/02   C     OK                3
    2020/02   C     NG                2
    2020/02   C     None              1

I want to calculate the total value for each place field values.

date    place description count Total
2020/02 A     OK             3
2020/02       NG             2
2020/02       None           1     6
2020/02 B     OK             3
2020/02       NG             1
2020/02       None           1     5
2020/02 C     OK             4
2020/02       NG             2
2020/02       None           1     7

I have no idea to use which fields.
(I tired |stats list(description) by date place but I have no idea to count....)
(description has many field values such as OK NG NOne NOT BAD etc....)

Is there any way to return this results?

Thank you for helping me.

0 Karma
1 Solution

HiroshiSatoh
Champion

If you want to show all fields

index=test1
 |rex field="test2" (?<year>\d\d\d\d)/
 |rex field="test2" /(?<month>\d+)/
 |eval date=case(year==2020 AND month==2, "2020/02", year==2020 AND month==1, "2020/01", year==2019 AND month==12, "2019/12")
 |search date=2020/02
 |stats count by date place description
 |eventstats  sum(count) as Total by  date ,place 

View solution in original post

0 Karma

HiroshiSatoh
Champion

If you want to show all fields

index=test1
 |rex field="test2" (?<year>\d\d\d\d)/
 |rex field="test2" /(?<month>\d+)/
 |eval date=case(year==2020 AND month==2, "2020/02", year==2020 AND month==1, "2020/01", year==2019 AND month==12, "2019/12")
 |search date=2020/02
 |stats count by date place description
 |eventstats  sum(count) as Total by  date ,place 

View solution in original post

0 Karma

pipipipi
Path Finder

Thank you,

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!