Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to count values from a filed and show count as...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siddhardhans
Explorer
06-16-2020
06:25 PM
i am running below query to get total count by date_mday.
search query | eval ver=substr(av,1,4) | stats count(ver) by date_mday
and getting results for total count by month day.
| date_mday | count |
| 1 | 23 |
| 2 | 25 |
| 3 | 35 |
| 4 | 21 |
However, i want the results as ver count and total count - something like
| date_mday | ver1234 | ver2345 | ver3456 | ver4567 | total Count |
| 1 | 10 | 2 | 0 | 11 | 23 |
| 2 | 9 | 5 | 2 | 9 | 25 |
| 3 | 11 | 7 | 4 | 13 | 35 |
| 4 | 8 | 0 | 2 | 11 | 21 |
Since eval (eval ver=substr(av,1,4)) is dynamically populating the values to ver - I can't use | stats count(eval()) function. Please help me out.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
06-16-2020
06:33 PM
Try this
search query
| eval ver=substr(av,1,4)
| chart count by date_mday ver
| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
06-16-2020
06:33 PM
Try this
search query
| eval ver=substr(av,1,4)
| chart count by date_mday ver
| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siddhardhans
Explorer
06-16-2020
06:42 PM
@DalJeanis this is great - any suggestion to get total count on these dynamic columns?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
06-16-2020
10:07 PM
| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"
The addtotals command will add up the totals horizontally, the addcoltotals will add them vertically.
I've updated the code above to include these.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siddhardhans
Explorer
06-17-2020
08:45 AM
Get Updates on the Splunk Community!
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Splunk Observability Cloud’s AI Assistant in Action Series: Identifying Unknown ...
Agentic AI powers the Splunk AI Assistant within the Splunk Observability Cloud interface to help you quickly ...
