Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats query

PaulaCom
Path Finder
2 weeks ago

Morning All 

 

appreciate some guidance on a spl i'm working on and just cant get the information i require

my dataset is tickets on our helpdesk . Im looking for the total number of ticket each team has for each different request type. 

team is called techGroupLevel

request type is call problem_detail

here's my search so far and it's just note right. 

| table _time id displayClient location_Name problem_detail detail bookmarkableLink status priority techGroupId techGroupLevel tech_Name reportDateUtc lastUpdated closeDate
| stats values(problem_detail) as problem_detail count(problem_detail) as total by techGroupLevel

under the i'm getting the following 

 

PaulaCom_0-1731324301667.png

 

you can see that the figure returned on total is the combined total for all problem_details for each team 
i'd prefer to see a separate figure for each problem detail and then perhaps a total sum under each team but dont know how to go about this 

for example

techGroupLevel                                        problem_detail         Sub-Total                   Total 

Systems & Network                                 Email                               10                                     20

                                                                          Server                               5

                                                                         Shared Drive                   5

 

 

appreciate some guidance 

thanks 

 

Paula 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

That's as I described it. There are ways to remove this extra information but they are a little involved and may not give you what you need. One of the more simpler ways is to do this

| stats count by techGroupLevel problem_detail
| eventstats sum(count) as total by techGroupLevel
| stats list(problem_detail) as problem_detail list(count) as count values(total) as total by techGroupLevel

Note that problem_detail and count are now multivalue fields and you have to visually align the count with the problem detail rather than them being in separate events and therefore in alternating background colours. Btw, total is also technically a multivalue field but since there is only one value per techGroupLevel, this isn't immediately obvious!

View solution in original post

Reply
Solved! Jump to solution

PaulaCom
Path Finder
2 weeks ago

thanks 
i used the first line and that looks better
the second line just repeats the total on each line like this 🙂 

PaulaCom_0-1731328534920.png

 



0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

That's as I described it. There are ways to remove this extra information but they are a little involved and may not give you what you need. One of the more simpler ways is to do this

| stats count by techGroupLevel problem_detail
| eventstats sum(count) as total by techGroupLevel
| stats list(problem_detail) as problem_detail list(count) as count values(total) as total by techGroupLevel

Note that problem_detail and count are now multivalue fields and you have to visually align the count with the problem detail rather than them being in separate events and therefore in alternating background colours. Btw, total is also technically a multivalue field but since there is only one value per techGroupLevel, this isn't immediately obvious!

Reply
Solved! Jump to solution

PaulaCom
Path Finder
2 weeks ago

thank you for explaining 🙂 much appreciated 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

It is not so easy to get exactly the layout that you want as each resulting stats event contains a repeat of the information at the techGroupLevel level

| stats count by techGroupLevel problem_detail
| eventstats sum(count) as total by techGroupLevel
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...