Solved: AddColTotals

xvxt006 · ‎06-17-2013

Hi, I want to get the count of errors. So i have a query to get the count by status where status is greater than 400. When i use addcoltotals, it is thinking status as a column and hence it is giving the total for both. How can i get that?

/Current
No status count
1 200 26
2 302 57
3 502 83

Expected

No status count
1 200 26
2 302 57
3 Total 83

sourcetype=access_combined_wcookie host="qqqq*" uri=/checklogin* status>400 | stats count by status | addcoltotals label=Total labelfield=status

bmunson_splunk · ‎06-17-2013

You should be able to just name the fields you want totals for.

sourcetype=access_combined_wcookie host="qqqq" uri=/checklogin status>400 | stats count by status | addcoltotals count label=Total labelfield=status

View solution in original post

xvxt006 · ‎06-17-2013

Thank you !!! This worked fine.

bmunson_splunk · ‎06-17-2013

You should be able to just name the fields you want totals for.

sourcetype=access_combined_wcookie host="qqqq" uri=/checklogin status>400 | stats count by status | addcoltotals count label=Total labelfield=status

aholzer · ‎06-17-2013

I don't think it's possible to exclude with addColTotals, but you should be able to with addTotals. Here's the documentation: http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Addtotals

Your search would look like this:
sourcetype=access_combined_wcookie host="qqqq" uri=/checklogin status>400 | stats count by status | addTotals col=t label=Total labelfield=status count

AddColTotals

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?