Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to do append after a |stats sum(fields)

dtccsundar
Path Finder
‎10-03-2021 11:26 PM

Hi,

Below is my search ,

 index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True  False |eval comp="Test1"

|append [|search index=cc sourcetype=dd|eval comp="Test2"]

|eventstats count as total_count by comp
|stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp
|eval "True %"=round((('True'+'Excluded')/total*100),2)
|eval "False %"=round((('False'+'Error')/total*100),2)

| sort sort_field |fields - sort_field
|table Comp "True %" "False %"

The result which is get is ,

Comp            True %      False %

Test1              0                 0

Test2             93.00        7.00

 

I have to get the actual % for Test1 too .  Iam getting "0 " .Not sure my append is wrong with stats Sum() .

Please can any one give me right way to get the values for the above search .

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2021 12:11 AM

This line:

 index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True  False |eval comp="Test1"

will give you True False and comp fields

This line

|stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp

is based on the value of Status - this no longer exists for comp="Test1" which is why you are getting zeroes

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2021 12:11 AM

This line:

 index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True  False |eval comp="Test1"

will give you True False and comp fields

This line

|stats count(eval(Status=="True")) as True count(eval(Status=="False")) as False count(eval(Status=="Error")) as "Error" count(eval(Status=="Excluded")) as "Excluded" max(total_count) as total by comp

is based on the value of Status - this no longer exists for comp="Test1" which is why you are getting zeroes

Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎10-04-2021 02:21 AM

Thank you ITWhisperer

Is there a way to achieve this ? Whether i can create a new field Status and bring the values into that field ?

Please tell me if there a way available to do this too.

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-04-2021 02:34 AM

Try something like this

 index=aa sourcetype=bb|stats sum(CountOf_True) as True sum(CountOf_false) as false|table True  False |eval comp="Test1"

|append [|search index=cc sourcetype=dd
|stats count(eval(Status=="True" OR Status=="Excluded")) as True count(eval(Status=="False" OR Status=="Error")) as False 
|eval comp="Test2"]

|eval total_count=True+False

|eval "True %"=round(100*True/total_count,2)
|eval "False %"=round(100*False/total_count,2)

|table comp "True %" "False %"
Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎10-05-2021 12:22 AM

Thank you .This works great !!

0 Karma
Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎10-05-2021 03:53 AM

 

Following this , i am in need of a column which should show barchart  for (False %  and True%) each comp values .

Ex :

Comp   True%   False%   Barchart

 Test1     55            45         corresponding % bar chart

Test2     66            34         corresponding % bar chart

This is the requirement from client, Can you help me please .

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...