Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pulling Sub-Totals in a table

itsmevic
Communicator
‎04-13-2020 06:18 PM

I ingested a .CSV into Splunk which contained some patching information derived from another system. The problem with the report is that it's producing multiple rows with the same patch information. I ran it through Splunk to see if I could clean it up some by using the following query:

index=patching sourcetype=patching
| stats count by Patch_History, Patch_Number, Count
| sort -Count
| stats list(Patch_History) as Count, list(Count) by Patch_Number

This query produced the following output:

alt text

I'd like to add a subtotal for each section. I've tried using | addcolumns fieldname=" ", etc., but am not getting the desired results. Any help is appreciated!

Tags (1)
Preview file
71 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-13-2020 07:33 PM

@itsmevic please try the following approach with eventstats to get the sum as Sub_Total and values() or last() or first to show only one value for Sub_Total

index=patching sourcetype=patching
| stats count by Patch_History, Patch_Number, Count
| eventstats sum(Count) as Sub_Total by Patch_Number
| sort - Count
| stats list(Patch_History) as Patch_History, list(Count) as Count, values(Sub_Total) as Sub_Total by Patch_Number
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-13-2020 07:33 PM

@itsmevic please try the following approach with eventstats to get the sum as Sub_Total and values() or last() or first to show only one value for Sub_Total

index=patching sourcetype=patching
| stats count by Patch_History, Patch_Number, Count
| eventstats sum(Count) as Sub_Total by Patch_Number
| sort - Count
| stats list(Patch_History) as Patch_History, list(Count) as Count, values(Sub_Total) as Sub_Total by Patch_Number
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

itsmevic
Communicator
‎04-13-2020 07:55 PM

Boom! Nike, you are a lifesaver! Thank you! The output is exactly what I need!

Reply
Solved! Jump to solution

niketn
Legend
‎04-13-2020 07:59 PM

@itsmevic you were so close that I am sure you would have got it yourself after tea/coffee or may be a nap 🙂
Keep Splunking!!!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...