Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Addtotals - Percentage of 2 total fields as new field

ronnybruska
New Member
‎05-09-2018 03:05 AM

Hi there,

i created a table:

Date | Value1 | Value2 | Percentage

The last line should be:

"total" | total of Value1 | total of Value2 | Percentage change of "total of Value1" and "total of Value2"

So i want to calculate two total fields to add a third total field because the last field shouldn't be the total of all percentage.
I already got the first 3 fields but could not find out how to add a second field with addtotals

addtotals col=true row=false "Value1", "Value2", labelfield="Date" label="total"

Is this possible?

Thx!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-09-2018 08:44 AM

How about this instead:

index=_* sourcetype=splunkd component=metrics
| timechart span=1h avg(kb) AS Value1 avg(ev) AS Value2 avg(load_average) AS Peercentage

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution:"

| appendpipe [ stats sum(Value1) AS Value1 sum(Value2) AS Value2 avg(Percentage) AS Percentage ]
| fillnull value="total"

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-09-2018 08:44 AM

How about this instead:

index=_* sourcetype=splunkd component=metrics
| timechart span=1h avg(kb) AS Value1 avg(ev) AS Value2 avg(load_average) AS Peercentage

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution:"

| appendpipe [ stats sum(Value1) AS Value1 sum(Value2) AS Value2 avg(Percentage) AS Percentage ]
| fillnull value="total"
Reply
Solved! Jump to solution

ronnybruska
New Member
‎05-11-2018 12:52 AM

appendpipe did it for me.

I have two combined subsearches (different timeframes) so i had to calculate the percentage for the two totals manually:

index=xxx "search pattern" dvc=xxx earliest="05/07/2018:00:00:00" latest="05/08/2018:00:00:00" 
| multikv 
| timechart span=30m count as today 
| appendcols [ search index=xxx "search pattern" dvc=xxx earliest="04/30/2018:00:00:00" latest="05/01/2018:00:00:00" 
| multikv 
| timechart span=30m count as yesterday ] 
| eval percentage = round((today / yesterday - 1) * 100, 2)
| rename yesterday as "Value1", today as "Value2", percentage as "Percent", _time as "time" 
| convert ctime("time") 
| table "time", "Value1", "Value2", "Percent"
| appendpipe [ eventstats sum("Value2") as total_today, sum("Value1") as total_yesterday 
| eval perc_sum = round((total_today / total_yesterday -1) * 100, 2) 
| stats sum("Value1") as "Value1", sum("Value2") as "Value2", values(perc_sum) as "Percent"] 
| fillnull value="total"

Thank you very much!

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...