Refine your search:

Hello

I am trying to create a total of values in different fields and add it to the output as a different field. I am able to get the value of different fields but got stuck on how to add them.

sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId   |stats count by record.priority|

This is the command which I used to get the data. The data now is

record.priority     count
1                        6
2                    7568
3                    6346
4                    68

Now I wanted to add another field with a total of all the count values in the same chart.

Anyone has an idea on how to do that? Is there any other method where I can first get the whole total of the count in a bar chart for a 31 day period and then probably draw the graph with different priority fields which gives the information about each priority with a count of incidents created per day?

Regards

-theou

asked 15 Oct '12, 07:51

theouhuios's gravatar image

theouhuios
531318
accept rate: 40%


2 Answers:

Used the addtotals <fields> command to get a total value. Then used fields to remove the redundant fields which weren't needed.

Thanks for all your help.

link

answered 15 Oct '12, 12:04

theouhuios's gravatar image

theouhuios
531318
accept rate: 40%

You should probably look at the addcoltotals command;

your_search_here | addcoltotals labelfield=record.priority label="Total count"

See the docs here: http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Addcoltotals

For the second part of your query, I don't really understand how you want the output, but try;

sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId  | timechart span=1d count by record.priority

You can paste the search (or write a new one from scratch) into the Advanced Charting view (under the "Dashboards & Views" menu), and play around with the visualization options.

Hope this helps,

Kristian

link

answered 15 Oct '12, 08:22

kristian.kolb's gravatar image

kristian.kolb ♦
19.4k1820
accept rate: 36%

that or eventstats

(15 Oct '12, 08:28) gkanapathy ♦

true, addcoltotals does not create a new field per se, but I gathered that the real request was more for presentation purposes.

(15 Oct '12, 08:33) kristian.kolb ♦

Hmm.. The timechart is the way which i am doing as of now. But I am trying to see if I can actually use multiple visualizations on a single dashboard. Like a bar chart mentioning the total count of incidents and then a line chart upon the bar chart which graphs according to number of incidents and the priority of the incident.

(15 Oct '12, 08:51) theouhuios
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×499

Asked: 15 Oct '12, 07:51

Seen: 1,849 times

Last updated: 15 Oct '12, 12:04

Copyright © 2005-2014 Splunk Inc. All rights reserved.