How to sum values from specific rows to then displ...

hamishcross · ‎08-05-2019

Hey guys,

I'm trying to add the values that correspond to specific rows in a search, to then display on a dashboard (graph/pie graph).

For example, I have a table that returns as below:

Scenario count
"C2C Scenario 1" 1
"C2C Scenario 2" 2
"C2C Scenario 3" 3
"C2C Scenario 4N" 4
"C2C Scenario 4Y" 5
"C2C Scenario 5" 6
"C2C Scenario 6" 10

The above is currently returned using the below
index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario

I want to have a sum of the count
"C2C Scenario 2" + "C2C Scenario 4Y" + "C2C Scenario 5" as "POSITIVE"
"C2C Scenario 1" + "C2C Scenario 3" + C2C Scenario 4N" + "C2C Scenario 6" as "NEGATIVE"

So end outcome would be a table that is

Scenario sum
POSITIVE 11
NEGATIVE 18

The plan will then be to display the above in a pie graph.

Any help would be greatly appreciated! Thanks again. Loving getting into this stuff but starting off a little slow.

renjith_nair · ‎08-06-2019

@hamishcross,

If you dont have any common field to join them, you may try

index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" 
 | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario
 | stats sum(eval(if(Scenario=="C2C Scenario 2" OR Scenario=="C2C Scenario 4Y" OR Scenario=="C2C Scenario 5",count,null()))) as POSITIVE,
   sum(eval(if(Scenario=="C2C Scenario 1" OR Scenario=="C2C Scenario 3" OR Scenario=="C2C Scenario 4N" OR Scenario=="C2C Scenario 6",count,null()))) as NEGATIVE

Happy Splunking!

hamishcross · ‎08-06-2019

I'm pretty sure you're missing a stats ahead of the sum?

renjith_nair · ‎08-06-2019

ofcourse 🙂 , updated

Happy Splunking!

How to sum values from specific rows to then display in pie graph

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes