Solved: How to create a new column in my table showing the...

akawacz · ‎09-15-2015

HI

My data

Quarter   Type   Amount
2014q1     a      100
2014q1     b      200
2015q2     a      100
2015q2     b      100

I would like to create an additional column with sum for the same quarter.

Expected result

Quarter   Type   Amount  New_column
2014q1     a      100       300
2014q1     b      200       300
2015q2     a      100       200
2015q2     b      100       200

My current search:

index=test |stats(amount) as amount by quarter type

I do not want to use join and append.

Could you help me?

somesoni2 · ‎09-15-2015

Try this

your current search | eventstats sum(amount) as New_column by quarter

View solution in original post

somesoni2 · ‎09-15-2015

Try this

your current search | eventstats sum(amount) as New_column by quarter

akawacz · ‎09-15-2015

That works!! thank you

ppablo · ‎09-15-2015

Hi @akawacz,

Glad @somesoni2 helped you find your answer 🙂 Please be sure to accept his answer by clicking "Accept" directly below the answer, otherwise this post will show as unresolved. Thanks!

Patrick

woodcock · ‎09-15-2015

This is not your search; you are missing a function between stats and (amount).

akawacz · ‎09-15-2015

Yes, good point. Just forgot to put it. i was recreating version of my bigger search that would be better/easier to explain.

woodcock · ‎09-15-2015

OK, so what is it supposed to be?

akawacz · ‎09-15-2015

should be sum

How to create a new column in my table showing the sum of FieldA by FieldB?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms