addTotals not including a column

LauraBre · ‎06-21-2012

Hello,

this is my search:

source=tcp:5544 STAT_VE="YES" OR STAT_VE="NO" |eval Transac=case(D_LAB_ERR="TIMEOUT_REACHED" OR D_LAB_ERR="TIMEOUT_REACHED_RECORD","PA Pb fin de session 3D Secure", SD_STAT_PA="NO" AND  (NOT D_LAB_ERR="TIMEOUT_REACHED" OR NOT D_LAB_ERR="TIMEOUT_REACHED_RECORD"),"PA Pb Autres",STAT_VE="NO","VE No",STAT_VE="YES" AND SD_STAT_PA="YES","PA Yes",STAT_VE="YES" AND SD_STAT_PA="ATTEMPT","PA Attempt",STAT_VE="YES" AND SD_STAT_PA="NO", "PA No",STAT_VE="YES","VE sans PA") |chart count by PURCH_DATE,Transac|addTotals

My problem is that I want to do the sum of all case within the field PURCH_DATE(an integer) but when I use addTotals, the sum is the sum of all values column. How can I do to have the sum of the Transac within the field PURCH_DATE.

Thx by advance

Laura

woodcock · ‎07-07-2015

If I understand you correctly, like this:

source=tcp:5544 STAT_VE="YES" OR STAT_VE="NO" |eval Transac=case(D_LAB_ERR="TIMEOUT_REACHED" OR D_LAB_ERR="TIMEOUT_REACHED_RECORD","PA Pb fin de session 3D Secure", SD_STAT_PA="NO" AND  (NOT D_LAB_ERR="TIMEOUT_REACHED" OR NOT D_LAB_ERR="TIMEOUT_REACHED_RECORD"),"PA Pb Autres",STAT_VE="NO","VE No",STAT_VE="YES" AND SD_STAT_PA="YES","PA Yes",STAT_VE="YES" AND SD_STAT_PA="ATTEMPT","PA Attempt",STAT_VE="YES" AND SD_STAT_PA="NO", "PA No",STAT_VE="YES","VE sans PA") |stats count by PURCH_DATE Transac | eventstats sum(count) AS TransacSum BY PURCH_DATE

addTotals not including a column

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases