Splunk Search

Renaming field value for totals

raby1996
Path Finder

Hi all, currently I'm using a search which returns results similar to this for each event I.E March April May etc..., where the second occurrence of march in this case gives me the totals for install and MM.
I was wondering if there was anyway that i set up up my search so that the second occurence of the group name will read as "totals" or something similar.
Here is the part of my search that gives me this table format, and as always thank you for the help.

| table Group, Bundle, Installs, Build, MM,  |appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group ] |sort Group



   Group           Bundle             Installs        MM     
   March             1a                  3            50                        
                     2a                  2            20      
                     3a                  5            10

   March                                 10            80
0 Karma
1 Solution

masonmorales
Influencer

Try:

 | table Group, Bundle, Installs, Build, MM,  | sort Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Group="Totals" ]

View solution in original post

masonmorales
Influencer

Try:

 | table Group, Bundle, Installs, Build, MM,  | sort Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Group="Totals" ]

raby1996
Path Finder

It does work, however it renames every field under group I would like to limit it to only renaming the second occurrence of that field value so for example turning this -

    Group           Bundle             Installs        MM     
    March             1a                  3            50                        
                      2a                  2            20      
                      3a                  5            10

    March                                 10            80

Into this

Group           Bundle             Installs        MM     
        March             1a                  3            50                        
                          2a                  2            20      
                          3a                  5            10

        Totals                                10            80

Thank you

0 Karma

masonmorales
Influencer

Every Group value said "Totals"? Did you do perform the eval inside the appendpipe only? If sorting is just being lost, we can preserve its "real" group by creating another field using eval and then sorting on that.

0 Karma

raby1996
Path Finder

Sorry yes it did work, It just slipped my mind to put the command into the appendpipe, and for the sorting issue you mean basically leaving the "Real" group in the background so it can sort by that but display the "Totals" label?

0 Karma

masonmorales
Influencer

Yes, exactly. I think it'd look something like this for your search:

| table Group, Bundle, Installs, Build, MM, | eval Sorter=Group | appendpipe [| stats sum(Installs) as Installs sum(MM) as MM by Group | eval Sorter=Group | eval Group="Totals" ] | sort -Sorter | fields - Sorter

The sort should stay in place since we are removing the Sorter field after it has already been applied by the sort command.

Either way, let me know how you make out. 🙂

raby1996
Path Finder

That worked wonderfully, thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...