Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats query

PaulaCom
Path Finder
‎11-11-2024 03:38 AM

Morning All 

 

appreciate some guidance on a spl i'm working on and just cant get the information i require

my dataset is tickets on our helpdesk . Im looking for the total number of ticket each team has for each different request type. 

team is called techGroupLevel

request type is call problem_detail

here's my search so far and it's just note right. 

| table _time id displayClient location_Name problem_detail detail bookmarkableLink status priority techGroupId techGroupLevel tech_Name reportDateUtc lastUpdated closeDate
| stats values(problem_detail) as problem_detail count(problem_detail) as total by techGroupLevel

under the i'm getting the following 

 

PaulaCom_0-1731324301667.png

 

you can see that the figure returned on total is the combined total for all problem_details for each team 
i'd prefer to see a separate figure for each problem detail and then perhaps a total sum under each team but dont know how to go about this 

for example

techGroupLevel                                        problem_detail         Sub-Total                   Total 

Systems & Network                                 Email                               10                                     20

                                                                          Server                               5

                                                                         Shared Drive                   5

 

 

appreciate some guidance 

thanks 

 

Paula 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2024 04:47 AM

That's as I described it. There are ways to remove this extra information but they are a little involved and may not give you what you need. One of the more simpler ways is to do this

| stats count by techGroupLevel problem_detail
| eventstats sum(count) as total by techGroupLevel
| stats list(problem_detail) as problem_detail list(count) as count values(total) as total by techGroupLevel

Note that problem_detail and count are now multivalue fields and you have to visually align the count with the problem detail rather than them being in separate events and therefore in alternating background colours. Btw, total is also technically a multivalue field but since there is only one value per techGroupLevel, this isn't immediately obvious!

View solution in original post

Reply
Solved! Jump to solution

PaulaCom
Path Finder
‎11-11-2024 04:35 AM

thanks 
i used the first line and that looks better
the second line just repeats the total on each line like this 🙂 

PaulaCom_0-1731328534920.png

 



0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2024 04:47 AM

That's as I described it. There are ways to remove this extra information but they are a little involved and may not give you what you need. One of the more simpler ways is to do this

| stats count by techGroupLevel problem_detail
| eventstats sum(count) as total by techGroupLevel
| stats list(problem_detail) as problem_detail list(count) as count values(total) as total by techGroupLevel

Note that problem_detail and count are now multivalue fields and you have to visually align the count with the problem detail rather than them being in separate events and therefore in alternating background colours. Btw, total is also technically a multivalue field but since there is only one value per techGroupLevel, this isn't immediately obvious!

Reply
Solved! Jump to solution

PaulaCom
Path Finder
‎11-11-2024 04:50 AM

thank you for explaining 🙂 much appreciated 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2024 04:32 AM

It is not so easy to get exactly the layout that you want as each resulting stats event contains a repeat of the information at the techGroupLevel level

| stats count by techGroupLevel problem_detail
| eventstats sum(count) as total by techGroupLevel
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...