Solved: how to count values from a filed and show count as...

siddhardhans · ‎06-16-2020

i am running below query to get total count by date_mday.

search query | eval ver=substr(av,1,4) | stats count(ver) by date_mday

and getting results for total count by month day.

date_mday	count
1	23
2	25
3	35
4	21

However, i want the results as ver count and total count - something like

date_mday	ver1234	ver2345	ver3456	ver4567	total Count
1	10	2	0	11	23
2	9	5	2	9	25
3	11	7	4	13	35
4	8	0	2	11	21

Since eval (eval ver=substr(av,1,4)) is dynamically populating the values to ver - I can't use | stats count(eval()) function. Please help me out.

DalJeanis · ‎06-16-2020

Try this

search query 
| eval ver=substr(av,1,4)
| chart count by date_mday ver
| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"

View solution in original post

DalJeanis · ‎06-16-2020

Try this

search query 
| eval ver=substr(av,1,4)
| chart count by date_mday ver
| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"

siddhardhans · ‎06-16-2020

@DalJeanis this is great - any suggestion to get total count on these dynamic columns?

DalJeanis · ‎06-16-2020

| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"

The addtotals command will add up the totals horizontally, the addcoltotals will add them vertically.

I've updated the code above to include these.

siddhardhans · ‎06-17-2020

@DalJeanis - thank you so much - i am able to see the table the way i needed.

how to count values from a filed and show count as column

eval

stats

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control