Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

chart count over in splunk

surekhasplunk
Communicator
‎03-08-2018 10:14 AM 
| rest /services/authentication/users splunk_server=local | search [| rest /services/authentication/current-context | rename username as title | fields title] |fields realname |map[|inputlookup mpc.csv |chart count over "Sub Division 4" by "Enrollment Status" | eval Enrolled=if(isnotnull(Enrolled),Enrolled,0) | eval In-Progress=if(isnotnull('In-Progress'),'In-Progress',0) |eval Completed=if(isnotnull(Completed),Completed,0)| eval total='Completed'+'Enrolled'+'In-Progress' |eval %Completed=round(('Completed'/('total'))*100,2) |eval %Enrolled=round((Enrolled/('total'))*100,2)|eval "%In-Progress"=round(('In-Progress'/('total'))*100,2) |rename total as "Total Employee Count" "Sub Division 4" as "Business Area"| fields "Business Area" "Supervisor Name" "Total Employee Count" %Enrolled "%In-Progress" %Completed]

Currently am using above query which is showing me all the enrollment status values by business area but in addition to that i want to search the realname in the mpc.csv file in the column "supervisor Name" and display it.
how to do that ?

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎03-08-2018 10:53 AM

Try like this

|inputlookup mpc.csv 
| where 'Supervisor Name'=[| rest /services/authentication/current-context splunk_server=local | table realname | rename realname as search | format] | eval "Sub Division 4"='Sub Division 4'."##".'Supervisor Name'
|chart count over "Sub Division 4" by "Enrollment Status" 
| eval Enrolled=if(isnotnull(Enrolled),Enrolled,0) | eval In-Progress=if(isnotnull('In-Progress'),'In-Progress',0) |eval Completed=if(isnotnull(Completed),Completed,0)
| eval total='Completed'+'Enrolled'+'In-Progress' |eval %Completed=round(('Completed'/('total'))*100,2) 
|eval %Enrolled=round((Enrolled/('total'))*100,2)|eval "%In-Progress"=round(('In-Progress'/('total'))*100,2) 
| rex field="Sub Division 4" "(?<SubDiv>[^#]+)##(?<Supervisor>.+)"
|rename total as "Total Employee Count" "SubDiv" as "Business Area" Supervisor as "Supervisor Name"| fields "Business Area" "Supervisor Name" "Total Employee Count" %Enrolled "%In-Progress" %Completed
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...