Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to count values from a filed and show count as...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siddhardhans
Explorer
06-16-2020
06:25 PM
i am running below query to get total count by date_mday.
search query | eval ver=substr(av,1,4) | stats count(ver) by date_mday
and getting results for total count by month day.
| date_mday | count |
| 1 | 23 |
| 2 | 25 |
| 3 | 35 |
| 4 | 21 |
However, i want the results as ver count and total count - something like
| date_mday | ver1234 | ver2345 | ver3456 | ver4567 | total Count |
| 1 | 10 | 2 | 0 | 11 | 23 |
| 2 | 9 | 5 | 2 | 9 | 25 |
| 3 | 11 | 7 | 4 | 13 | 35 |
| 4 | 8 | 0 | 2 | 11 | 21 |
Since eval (eval ver=substr(av,1,4)) is dynamically populating the values to ver - I can't use | stats count(eval()) function. Please help me out.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
06-16-2020
06:33 PM
Try this
search query
| eval ver=substr(av,1,4)
| chart count by date_mday ver
| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
06-16-2020
06:33 PM
Try this
search query
| eval ver=substr(av,1,4)
| chart count by date_mday ver
| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siddhardhans
Explorer
06-16-2020
06:42 PM
@DalJeanis this is great - any suggestion to get total count on these dynamic columns?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
06-16-2020
10:07 PM
| addtotals fieldname="Total Count"
| addcoltotals labelfield=date_mday label="All Days"
The addtotals command will add up the totals horizontally, the addcoltotals will add them vertically.
I've updated the code above to include these.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
siddhardhans
Explorer
06-17-2020
08:45 AM
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
