Splunk Search

How to sum values from specific rows to then display in pie graph

hamishcross
Engager

Hey guys,

I'm trying to add the values that correspond to specific rows in a search, to then display on a dashboard (graph/pie graph).

For example, I have a table that returns as below:

Scenario count
"C2C Scenario 1" 1
"C2C Scenario 2" 2
"C2C Scenario 3" 3
"C2C Scenario 4N" 4
"C2C Scenario 4Y" 5
"C2C Scenario 5" 6
"C2C Scenario 6" 10

The above is currently returned using the below
index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario

I want to have a sum of the count
"C2C Scenario 2" + "C2C Scenario 4Y" + "C2C Scenario 5" as "POSITIVE"
"C2C Scenario 1" + "C2C Scenario 3" + C2C Scenario 4N" + "C2C Scenario 6" as "NEGATIVE"

So end outcome would be a table that is

Scenario sum
POSITIVE 11
NEGATIVE 18

The plan will then be to display the above in a pie graph.

Any help would be greatly appreciated! Thanks again. Loving getting into this stuff but starting off a little slow.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@hamishcross,

If you dont have any common field to join them, you may try

index=ivr_app ("C4C Scenario")| rex "C2C Scenario (?\w+)" 
 | eval Scenario = "C2C Scenario"." ".Reason | stats count by Scenario
 | stats sum(eval(if(Scenario=="C2C Scenario 2" OR Scenario=="C2C Scenario 4Y" OR Scenario=="C2C Scenario 5",count,null()))) as POSITIVE,
   sum(eval(if(Scenario=="C2C Scenario 1" OR Scenario=="C2C Scenario 3" OR Scenario=="C2C Scenario 4N" OR Scenario=="C2C Scenario 6",count,null()))) as NEGATIVE
Happy Splunking!
0 Karma

hamishcross
Engager

I'm pretty sure you're missing a stats ahead of the sum?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

ofcourse 🙂 , updated

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...