I have gone over Splunk's tutorial to create Pivot tables. Now that I know the process, I would appreciate some direction on how to effectively summarize totals by department ID. Here is a simple water down sample of my input data: ID Amount g0001 20000 g0002 10000 g0001 20000 g0003 20000 g0001 10000 g0004 20000 .... The pivot should provide the following (ID will be on x axis and Total Amount on the y axis for a bar chart): ID Total Amount g0001 50000 g0002 10000 g0003 20000 g0004 20000 Splunk requires: 1. tutorialdata.zip to create the pivot data model 2. Prices.csv.zip to create the pivot lookup data How does Splunk data files translates to my input data? Is the tutorialdata.zip equivalent to my input data shown above? Does Splunk require to create from my input data shown above something equivalent to Prices.csv.zip for the Lookup data? When creating a pivot table, I select "ID" under the split Rows and Count under column values which displays the following result: ID Count g0001 3 g0002 1 g0003 1 g0004 1 When creating a pivot table, I select "ID" under the split Rows and Sum for Amount under column values which displays the following result (the sum for Amount shows as blank): ID Sum g0001 g0002 g0003 g0004 I would appreciate any comments. Thanks! ... View more

I am familiar with Pivot tables under Microsoft Excel and would like to recreate Pivot tables in Splunk, but don't know where to begin. Splunk requires data models, but how does a data model match my input file and why does Splunk needs it to create a Pivot Table? I see only two sample data models under Pivot. How can I add data models? Does Pivot work like in Excel? I would appreciate any help. Thanks! ... View more

I would appreciate any comments. Search Case 1 host="HP" sourcetype="csv" Displays all fields for 8292 events Search Case 2 host="HP" sourcetype="csv" | table ActionObligation | makemv ActionObligation | mvexpand ActionObligation | replace "$*" with "*","($*)" with "-*" in ActionObligation | eval ActionObligation1=tonumber(replace(ActionObligation,",","")) | eventstats sum(ActionObligation1) as Total | eval Total=if(Total>0,"$".tostring(Total,"commas"),"($".tostring(Total*-1,"commas").")") Displays 8292 events with these 3 fields: Action Obligation Action Obligation1 Total 1 1 $200,000 How can I display Case 1 and Case 2 together? Case 1 would have 3 additional fields from case 2 added to end of each event. Example: (Case 1) (Case 2) event Action Obligation Action Obligation1 Total values... 1 1 $200,000 Thanks! ... View more

I would appreciate any comments: 1) Added "Total" as one of my Selected Fields from the following search (this worked fine): host="HP" sourcetype="csv" | eval ActionObligation1=tonumber(replace(ActionObligation,",","")) | eventstats sum(ActionObligation1) as Total | eval Total=if(Total>0,"$".tostring(Total,"commas"),"($".tostring(Total*-1,"commas").")") 2) Then I changed "Total" to "GrandTotal" and forgot to remove the previous "Total" from Selected Fields host="HP" sourcetype="csv" | eval ActionObligation1=tonumber(replace(ActionObligation,",","")) | eventstats sum(ActionObligation1) as GrandTotal | eval GrandTotal=if(GrandTotal>0,"$".tostring(GrandTotal,"commas"),"($".tostring(GrandTotal*-1,"commas").")") 3) I then unchecked all Selected Fields 4) How do I get GrandTotal to appear in Interesting Fields? It no longer displays as an interesting new field. I tried changing back to Total and it no longer displays it under Interesting fields either. ... View more