Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to transform row to column unique?

sjkalai
Explorer
‎06-06-2022 11:16 PM

I am new to Splunk, search query and return table values , I want change below table into second table format. 

convert to table into below format. percentage calculation is sum of 0-5% - Q1 row value/ sum of column total. How can achieve this. please help me . Thanks in advance

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-06-2022 11:29 PM

Hi @sjkalai,

you should use the chart command (https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Chart)

Only one question: how does the Serial field is in the calculation?

for each usage_range and quarter, do you want the count of the values or the distinct values of Serials?

if the count, please try something like this:

your_search
| chart count OVER usage_range BY quarter

if distinct_count of Serials

your_search
| chart dc(Serial) OVER usage_range BY quarter

Ciao.

Giuseppe

0 Karma
Reply

sjkalai
Explorer
‎06-07-2022 12:11 AM

Thank you for answer. @gcusello  I am already used chart i got table. but I want add a percentage calculation (Serial count *100 )/ sum (column -Q1) total. I want like this Serial count 10 (50%) is in column total 20. Ex (10*100)/20 = 50 %

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 12:28 AM

Hi @sjkalai,

you have to use a more complicated search that I cannot test, see my approach and adapt to your need:

your_search
| stats count BY usage_range quarter
| evenstats sum(count) AS quarter_total BY quarter
| eval perc=count*100/quarter_total 
| eval value_to_display=count." (".perc."%)"
| chart values(value_to_display) AS value_to_display OVER usage_range BY quarter

Ciao.

Giuseppe

Reply

sjkalai
Explorer
‎06-07-2022 05:38 AM

Hi @gcusello ,

Thanks its work. But I cannot add a column total in the last row because chart values are string. so we cannot use addtotals or addcoltotals commend.
 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-07-2022 05:49 AM

Hi @sjkalai,

you could try to use the append command at the end of your search:

 

your_search
| stats count BY usage_range quarter
| evenstats sum(count) AS quarter_total BY quarter
| eval perc=count*100/quarter_total 
| eval value_to_display=count." (".perc."%)"
| chart values(value_to_display) AS value_to_display OVER usage_range BY quarter
| append [ search your_search | evenstats sum(count) AS quarter_total BY quarter ]

 

If this answer solves your need, please accept it for the other people of Community.

Ciao.

Giuseppe

P.S. Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...