- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Sum of Field values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I'm using a query to get the total count of individual fields.
Here is the search and chart being displayed:
index=eis_continuous_integration sourcetype=eisci
| bucket _time span=1d
| stats count as totalType by Group, Type, _time
|eval Date=_time
|convert timeformat = "%m/%d/%Y" ctime (Date)
| table Date, Group, Type, totalType
_time Group Type totalType
12/16/13 EG DEPLOY 16
12/16/13 EG POST-DEPLOY 8
12/16/13 EG PRE-DEPLOY 4
12/16/13 EG ROLLBACK 2
What I'd like is the sum of totalType by Group--this way when more groups are added I will have the sum of Type by each Group. So it would look like:
date group totalCount
12/16 EG 30
12/16 CG X...etc
How can I add up the totalTypes column to obtain the results above? I've tried playing around with sum, addtotals, etc. but have had no luck.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=eis_continuous_integration sourcetype=eisci | bucket _time span=1d | stats count as totalType, values(Type) as Types by Group, _time |eval Date=_time |convert timeformat = "%m/%d/%Y" ctime (Date) | table Date, Group, Types, totalType
OR
index=eis_continuous_integration sourcetype=eisci | bucket _time span=1d | stats count as totalType by Group, Type, _time |eval Date=_time |convert timeformat = "%m/%d/%Y" ctime (Date) | status sum(totalType) as totalType by Group,Date
Another options
index=eis_continuous_integration sourcetype=eisci | bucket _time span=1d | stats count as countType by Group, Type, _time |eval Date=_time |convert timeformat = "%m/%d/%Y" ctime (Date)
| table Date, Group, Type, countType | eventstats sum(countType ) as totalType by Group, Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=eis_continuous_integration sourcetype=eisci | bucket _time span=1d | stats count as totalType, values(Type) as Types by Group, _time |eval Date=_time |convert timeformat = "%m/%d/%Y" ctime (Date) | table Date, Group, Types, totalType
OR
index=eis_continuous_integration sourcetype=eisci | bucket _time span=1d | stats count as totalType by Group, Type, _time |eval Date=_time |convert timeformat = "%m/%d/%Y" ctime (Date) | status sum(totalType) as totalType by Group,Date
Another options
index=eis_continuous_integration sourcetype=eisci | bucket _time span=1d | stats count as countType by Group, Type, _time |eval Date=_time |convert timeformat = "%m/%d/%Y" ctime (Date)
| table Date, Group, Type, countType | eventstats sum(countType ) as totalType by Group, Date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're a genius.. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
index=eis_continuous_integration sourcetype=eisci | timechart span=1d count as totalTypes by Group | rename _time as Date |convert timeformat="%m/%d/%Y" ctime(Date)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This worked:
index=eis_continuous_integration sourcetype=eisci
| bucket _time span=1d
| stats count as totalType, values(Type) as Types by Group, _time
| eval Date=_time
| convert timeformat="%m/%d/%Y" ctime(Date)
If I wanted to put this in a column chart, how could I make it so I could match the count with what Group it is associated with (i.e. same color)? To try and paint the picture-- a column chart with count on the left(y-axis), date on the x-axis, and then have Group on the right. Is that possible?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
