I am trying to create a total of values in different fields and add it to the output as a different field. I am able to get the value of different fields but got stuck on how to add them.
sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId |stats count by record.priority|
This is the command which I used to get the data. The data now is
record.priority count 1 6 2 7568 3 6346 4 68
Now I wanted to add another field with a total of all the count values in the same chart.
Anyone has an idea on how to do that? Is there any other method where I can first get the whole total of the count in a bar chart for a 31 day period and then probably draw the graph with different priority fields which gives the information about each priority with a count of incidents created per day?
You should probably look at the
your_search_here | addcoltotals labelfield=record.priority label="Total count"
For the second part of your query, I don't really understand how you want the output, but try;
sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId | timechart span=1d count by record.priority
You can paste the search (or write a new one from scratch) into the Advanced Charting view (under the "Dashboards & Views" menu), and play around with the visualization options.
Hope this helps,
Gantt chart in Splunk 0 Answers