Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Complete a timechart with a total column

Emilien
Explorer
‎05-02-2012 07:35 AM

Hello,

I got a timechart with 16 values automatically generated. But I want to have another column to show the sum of all these values.

This is my search :

index="jdbc"
sourcetype="BD_PANDORA_PROD" |
timechart span=1mon limit=16
eval(max(nbr_teams)) by directorate |
rename _time AS Time | eval
Time=strftime(Time, "%B")

http://imageshack.us/photo/my-images/502/totalresult2.jpg/

Have a look at the only result I was able to make :

index="jdbc"
sourcetype="BD_PANDORA_PROD" |
timechart span=1mon limit=16
eval(max(nbr_teams)) by directorate |
append [search index="jdbc"
sourcetype="BD_PANDORA_PROD" |
timechart
eval(round((sum(nbr_teams)/(count(nbr_teams)/16)),0))
AS TOTAL by Time ]

| rename _time AS Time | eval
Time=strftime(Time, "%B")

But this is not what I expected…
http://imageshack.us/photo/my-images/856/totalresult1.jpg/

Thank you for helping me.

Emilien

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Emilien
Explorer
‎05-04-2012 01:10 AM

Stop searching, this is very simple, just add "| addtotals"

it looks like this code :

index="jdbc"
sourcetype="BD_PANDORA_PROD" |
timechart span=1mon limit=16
eval(max(nbr_teams)) by directorate |
addtotals | rename _time AS Time |
eval Time=strftime(Time, "%B")

And it's done !

Enjoy !

View solution in original post

Reply
Solved! Jump to solution
Solution

Emilien
Explorer
‎05-04-2012 01:10 AM

Stop searching, this is very simple, just add "| addtotals"

it looks like this code :

index="jdbc"
sourcetype="BD_PANDORA_PROD" |
timechart span=1mon limit=16
eval(max(nbr_teams)) by directorate |
addtotals | rename _time AS Time |
eval Time=strftime(Time, "%B")

And it's done !

Enjoy !

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎05-02-2012 08:03 AM

In the past I've used eventstats to calculate a total field for a search. Unfortunately, the place to apply it doesn't jump out at me from your example.

Maybe something like

index="jdbc"
sourcetype="BD_PANDORA_PROD"  |
stats max(nbr_teams) AS max by directorate |
eventstats sum(max) AS Total | 
timechart ...
Reply
Solved! Jump to solution

Emilien
Explorer
‎05-03-2012 02:11 AM

I'm sorry, I did not succeed in this way.
I'm close to the goal with :

index="jdbc" sourcetype="BD_PANDORA_PROD"

| timechart span=1mon limit=16 eval(max(nbr_teams)) by directorate
| appendcols
[search index="jdbc" sourcetype="BD_PANDORA_PROD" | timechart span=1mon eval(round((sum(nbr_teams)/(count(nbr_teams)/16)),0)) AS TOTAL by Time ]
| rename _time AS Time | eval Time=strftime(Time, "%B")

But this new column is called "Null" and stay between others column instead of being at the end...
But I think, they is a better solution for my huge eval expression

0 Karma
Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎05-02-2012 08:00 AM

Just as an aside, you can do "convert timeformat=%B ctime(_time) AS Time" instead of the rename / eval.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...