- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get the total for each group?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get the total for each group?
Hi,
i have a data listed as such:
GROUP DISK
G1 D1
G1 D2
G2 D3
G3 D4
G3 D5
G3 D6
DISK READS WRITES
D1 20 30
D2 16 23
D3 9.5 10
D4 150 200
for each group, i am getting all the D# related to that group.
for each D# i am making a new eval total=reads+writes.
then i am doing addtotals to get the total for each group, which is what i want.
this is my search:
index=myind source=disks_source | extract lala | WHERE [search index=myind source=groups_source earliest=-7d latest=now | table DISK | dedup DISK | fields + DISK] | eval total=(READS+WRITES) | bin _time span=1m | stats max(total) as Total by _time,DISK | addtotals row=true labelfield=total_group fieldname=total_group | timechart span=1m max(total_group) as " group Total Transfer"
for example, if the is G1, than i am getting the total reads+writes for D1+D2 and then i chart it using the timechart.
what i want to do now is get the total for each group, sort the groups by descending order and get the TOP10.
the search above works for me for a single group.
how to make the search go for each group?
i thought this would make sense but it doesn't work (not the original search):
index=myind source=mysrc | extract mymy | WHERE [search index=myind source=mysrc earliest=-7d latest=now [search index=myind source=mysrc earliest=-7d latest=now | table GROUP | dedup GROUP | fields + GROUP] | table DISK | dedup DISK | fields + DISK] | eval total=(READS+WRITES) | bin _time span=1m | stats max(total) as Total by _time,GROUP,DISK | addtotals row=true labelfield=total_group fieldname=total_group | timechart span=1m max(total_group) as "group total"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so i got an answer thanks to our "in house" Splunk team 🙂
this is the solution:
index=myind source=disks_data | extract blabla | join DISK_NUMBER [search index=myind source=disks_in_groups] | bin _time span=1m | eval total=(READS+WRITES) | stats max(total) as Transfer by _time,group | rename group as Server | table Server,Transfer | sort Transfer desc | dedup Server | head 100
this does the following:
first, it takes all the disks and their groups.
for example, i get -
Group1:Disk1,Disk2
Group2:Disk1,Disk3,Disk4
Group3:Disk5,Disk6
from there, i do a join between that data to the disks_data so i get a table like this:
Disk READS WRITES Group
Disk1 70 20 Group1
Disk2 50 13 Group1
Disk3 95 54 Group2
Disk4 12 14 Group2
Disk5 31 78 Group3
Disk6 11 54 Group4
then, i sum the values of the READS+WRITES to an eval Total.
do stats command by _time and Group -> this is what i was looking for, this gives me the total READS+WRITES of all the groups, not just by disk.
then i only do a sort to get the TOP 100, but that's just my addition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, so click Accept to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is going to be hard to do without you supplying real sample data (or at least intermediate data, such as what you get just before your bin command. For starters, your WHERE clauses seems poorly placed but maybe that is because it is operating on fields that do not exist in your base search and are created by the extract command. Also either your addtotals command is useless (there for debug) or will not work right with what you are trying to do because Total is not the same as total.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you are correct about the WHERE, i need to do an extract so i don't have an option to do it before.
as for the addtotals, i have changed it here and in my search, it really was not making sense.
i got an answer from our Splunk team inside the organization so i'm all good 🙂
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
