Just curious - is it possible to exclude the totals row and column generated by addtotals and addcoltotals from the heatmap visualization? They always show up as the hottest things on the map, distracting from the values which are actually important.
|addtotals label=total labelfiled=field which you want to remove
Splunk.... please add the ability to include/exclude certain columns/rows from a heat map!
Upvote for justice!
It is not really possible in a "good" way.
You can defeat the inclusion of these values in the heatmap calculation though, say by evaluating them to look less like numbers. For example, add to your search | eval Total = Total . " ."
You could pick an arbitrary character here to make it not look like a number.
Can you put the addcoltotals or addtotals commands at the end of the pipeline? If you do, does it make a difference?