https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373977#M169728 <P>Using <CODE>| addtotals label=_TOTAL</CODE> should also be possible, right?</P> <P>Also - if you use sort, remember to use <CODE>| sort 0 _TOTAL</CODE>, because by default sort is limited to 10000 results.</P> Wed, 02 May 2018 21:16:42 GMT xpac 2018-05-02T21:16:42Z https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373970#M169721 <P>I have a query that shows me the type of operations someone has performed but I would also like to sort by the total number of operations (show i can see most active users at the top) - a total column would be awesome as well.</P> <HR /> <P>Data:</P> <P>Name Operation1 Operation2 Operation3</P> <P>User 5 0 3<BR /> User 1 0 0<BR /> User 4 1 2</P> <P>Query so far:<BR /> index=*<BR /> | eval UserId=mvindex(split(UserId,"@"),0) <BR /> | eval tcount=eventcount summarize=false<BR /> | lookup peopledata network_uid AS UserId OUTPUT name as Name, location <BR /> | chart count by Name, Operation</P> Wed, 02 May 2018 15:16:35 GMT https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373970#M169721 cewing082 2018-05-02T15:16:35Z https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373971#M169722 <P>Try this:</P> <PRE><CODE>index=* | eval UserId=mvindex(split(UserId,"@"),0) | eval tcount=eventcount summarize=false | lookup peopledata network_uid AS UserId OUTPUT name as Name, location | chart count by Name, Operation | addtotals </CODE></PRE> <P>Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 02 May 2018 16:17:48 GMT https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373971#M169722 xpac 2018-05-02T16:17:48Z https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373972#M169723 <P>Probably missing the sort command of the field <CODE>Total</CODE> at the end.</P> Wed, 02 May 2018 16:24:30 GMT https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373972#M169723 somesoni2 2018-05-02T16:24:30Z https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373973#M169724 <P>You need the <CODE>addtotals</CODE> command. Experiment with all 4 patterns of <CODE>row=t/f</CODE> and <CODE>col=t/f</CODE>. You may need to use <CODE>fillnull</CODE> to add a header value on the last row.</P> Wed, 02 May 2018 16:32:17 GMT https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373973#M169724 woodcock 2018-05-02T16:32:17Z https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373974#M169725 <P>addtotals is great but adds a column at the end with the total ( great!) but when i go to chart the values, it includes the total as recorable item.</P> Wed, 02 May 2018 16:40:08 GMT https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373974#M169725 cewing082 2018-05-02T16:40:08Z https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373975#M169726 <P>Then do a sort on Total, afterwards use <CODE>| fields</CODE> to remove it <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 02 May 2018 17:06:13 GMT https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373975#M169726 xpac 2018-05-02T17:06:13Z https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373976#M169727 <P>You can rename the field like this at the end and it will disappear from the chart:</P> <PRE><CODE>| rename TOTAL AS _TOTAL </CODE></PRE> Wed, 02 May 2018 18:38:34 GMT https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373976#M169727 woodcock 2018-05-02T18:38:34Z https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373977#M169728 <P>Using <CODE>| addtotals label=_TOTAL</CODE> should also be possible, right?</P> <P>Also - if you use sort, remember to use <CODE>| sort 0 _TOTAL</CODE>, because by default sort is limited to 10000 results.</P> Wed, 02 May 2018 21:16:42 GMT https://community.splunk.com/t5/Splunk-Search/Total-foreach-Row/m-p/373977#M169728 xpac 2018-05-02T21:16:42Z