Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to move addtotals to the first column for a chart?

MeMilo09
Path Finder
‎03-01-2022 12:49 PM

Hello Splunk Community,

How can I move the addtotals field to display as the first column and not last for this chart? 

Currently: 

_timeHost123Host456total 
2022-02-24 22:00022


Would like:

_timetotalHost123Host456
2022-02-24 22:00202



Current Code:

 index="Dept_data_idx"  eventType="Created" status="success" host=* | bucket _time span=1h | stats  count by _time host | addtotals
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2022 01:04 AM

You didn't show it as using chart, you showed using stats. For chart, use this

index="Dept_data_idx"  eventType="Created" status="success" host=* | bucket _time span=1h | chart count by _time host | addtotals
| table _time Total *

View solution in original post

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-01-2022 07:45 PM

hi @MeMilo09 

Updated Answer 

you can use table command to re arrange the fields

index="Dept_data_idx" eventType="Created" status="success" host=*
| bucket _time span=1h
| stats count by _time host
| addtotals
| table Total _time host

also if you want to rename the total name which is default name  use following after addtotals 

fieldname="Total by Row" to rename the column name (Total is default) 

0 Karma
Reply
Solved! Jump to solution

MeMilo09
Path Finder
‎03-01-2022 08:34 PM

Thanks, but doing | table command does not fix the issue, since I am using | chart command. When I use | table I am able to move the addtotals column to the start of the table, but it does away with the host data. So what I get now looks like this using table... notice no host name or counts are under the host now. 

_timeTotalhost
2022-02-24 22:004 
2022-02-24 23:002 
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2022 01:04 AM

You didn't show it as using chart, you showed using stats. For chart, use this

index="Dept_data_idx"  eventType="Created" status="success" host=* | bucket _time span=1h | chart count by _time host | addtotals
| table _time Total *
0 Karma
Reply
Solved! Jump to solution

MeMilo09
Path Finder
‎03-02-2022 08:54 AM

Yes, I needed to keep the chart at all costs

| table  _time Total * 

did it and I totally understand why now.

Thanks!

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-02-2022 05:12 AM

Hi @ITWhisperer 

My bad, missed that😀

Thanks for let me know 😄

Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-01-2022 09:34 PM

Hi @MeMilo09 

I updated My initlal repsone, can you please use that query

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...