Splunk Search

How to create a table that has values summed up by the column?

Hppjet
Path Finder

I would like to manipulate it to look like this:

alt text

0 Karma
1 Solution

woodcock
Esteemed Legend

I can't believe I actually transcribed your dataset (please post text, not graphics next time):

|makeresults | eval raw="A10 1 1090:
A10 2 1429:
A10 3 1527.66667:
A10 4 1611.46154:
A10 5 1023:
A102 1 1928.06667:
A102 2 1564.26923:
A102 3 2668.7:
A102 4 1730.33333:
A102 5 1801.75:
A103 1 1687.26316:
A103 2 1903.45833:
A103 3 1784.84615:
A103 4 1358.93333:
A103 5 1818.5:
A104 1 2476.2:
A104 2 2184.26316:
A104 3 2272.86667:
A104 4 1742.55:
A104 5 2571:
A107 1 2294.07692"
| makemv delim=":" raw
| mvexpand raw
| rex field=raw "(?<operator>\S+)\s+(?<Month>\S+)\s+(?<Count>\S+)"
| table operator Month Count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart sum(Count) BY operator Month
| addtotals row=f col=t
| fillnull operator value="Grand Total"

View solution in original post

0 Karma

elliotproebstel
Champion

If you're looking to go from the first chart above (three columns: operator, Month, and Count) to the second chart, then you should be able to append this to your current search:

| xyseries operator Month Count 
| addcoltotals label="Grand Total" labelfield="operator"
0 Karma

woodcock
Esteemed Legend

I can't believe I actually transcribed your dataset (please post text, not graphics next time):

|makeresults | eval raw="A10 1 1090:
A10 2 1429:
A10 3 1527.66667:
A10 4 1611.46154:
A10 5 1023:
A102 1 1928.06667:
A102 2 1564.26923:
A102 3 2668.7:
A102 4 1730.33333:
A102 5 1801.75:
A103 1 1687.26316:
A103 2 1903.45833:
A103 3 1784.84615:
A103 4 1358.93333:
A103 5 1818.5:
A104 1 2476.2:
A104 2 2184.26316:
A104 3 2272.86667:
A104 4 1742.55:
A104 5 2571:
A107 1 2294.07692"
| makemv delim=":" raw
| mvexpand raw
| rex field=raw "(?<operator>\S+)\s+(?<Month>\S+)\s+(?<Count>\S+)"
| table operator Month Count

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| chart sum(Count) BY operator Month
| addtotals row=f col=t
| fillnull operator value="Grand Total"
0 Karma

Hppjet
Path Finder

I need to take the values in the second column and turn those into columns which will sum the values based on what is in the first column.

0 Karma

Hppjet
Path Finder

It worked!

0 Karma

woodcock
Esteemed Legend

Yes, I get it; that is what my solution does. Did you not try it? I went back and modified my answer to prove that it works with sample data.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @Hppjet,

Have you tried addcoltotals ??

Can you please try my sample search?

index="_internal" sourcetype=* date_minute=* 
| chart count over sourcetype by date_minute 
| addcoltotals 
| fillnull value="Grand Total" sourcetype

I have added fillnull for displaying "Grand Total" value at the last.

Thanks

0 Karma

Hppjet
Path Finder

I need to take the values in the second column and turn those into columns which will sum the values based on what is in the first column.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...