Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search language

francly
Explorer
‎08-27-2021 04:37 AM

Hi, how do I get subtotal count for each Host and Total for all count, in additional count for all different status.

Host                            Status                             Count

HostADisconnected1
HostARunning19
HostARunningWithErrors2
HostABadConnectivity2
HostBDisabled2
HostBDisconnected1
HostBRunning17
HostBRunningWithErrors5
HostCBadConnectivity1
HostCRunning7
HostCRunningWithErrors5
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-30-2021 12:03 AM

You're using count as a splunk function whereas in original post count is a field. So your count will just count the counts 😉 and what seems to be really needed is a sum of counts.

And your construction will yield some strange results.

What the OP wanted was simply one:

<original search> | stats sum(Count) by Host | addtotals row=f col=t labelfield=Host

and two:

<original search>| stats sum(Count) by Status | <optionaly addtotals as in example above>

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2021 05:21 AM

You need two different searches - one to sum count over hosts (and then do addtotals to get total sum) and another one to sum over statuses. That's the simplest solution I think

0 Karma
Reply
Solved! Jump to solution

francly
Explorer
‎08-29-2021 01:06 AM

thanks for response, can you provide the query.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-29-2021 09:33 AM

Hi @francly,

you could try something like this.

index=your_index
| stats count BY host Status
| append [ search 
     index=your_index
     | stats count BY host
     | eval Status="Total"
     ]
| sort host Status
| rename host AS Host

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎08-30-2021 12:03 AM

You're using count as a splunk function whereas in original post count is a field. So your count will just count the counts 😉 and what seems to be really needed is a sum of counts.

And your construction will yield some strange results.

What the OP wanted was simply one:

<original search> | stats sum(Count) by Host | addtotals row=f col=t labelfield=Host

and two:

<original search>| stats sum(Count) by Status | <optionaly addtotals as in example above>

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...