- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: search language
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, how do I get subtotal count for each Host and Total for all count, in additional count for all different status.
Host Status Count
| HostA | Disconnected | 1 |
| HostA | Running | 19 |
| HostA | RunningWithErrors | 2 |
| HostA | BadConnectivity | 2 |
| HostB | Disabled | 2 |
| HostB | Disconnected | 1 |
| HostB | Running | 17 |
| HostB | RunningWithErrors | 5 |
| HostC | BadConnectivity | 1 |
| HostC | Running | 7 |
| HostC | RunningWithErrors | 5 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're using count as a splunk function whereas in original post count is a field. So your count will just count the counts 😉 and what seems to be really needed is a sum of counts.
And your construction will yield some strange results.
What the OP wanted was simply one:
<original search> | stats sum(Count) by Host | addtotals row=f col=t labelfield=Host
and two:
<original search>| stats sum(Count) by Status | <optionaly addtotals as in example above>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need two different searches - one to sum count over hosts (and then do addtotals to get total sum) and another one to sum over statuses. That's the simplest solution I think
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for response, can you provide the query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @francly,
you could try something like this.
index=your_index
| stats count BY host Status
| append [ search
index=your_index
| stats count BY host
| eval Status="Total"
]
| sort host Status
| rename host AS HostCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're using count as a splunk function whereas in original post count is a field. So your count will just count the counts 😉 and what seems to be really needed is a sum of counts.
And your construction will yield some strange results.
What the OP wanted was simply one:
<original search> | stats sum(Count) by Host | addtotals row=f col=t labelfield=Host
and two:
<original search>| stats sum(Count) by Status | <optionaly addtotals as in example above>
Build Scalable Security While Moving to Cloud - Guide From Clayton Homes
Mission Control | Explore the latest release of Splunk Mission Control (2.3)
Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7
