Splunk Search

## Addtotals - Percentage of 2 total fields as new field

New Member

Hi there,

i created a table:

Date | Value1 | Value2 | Percentage

The last line should be:

"total" | total of Value1 | total of Value2 | Percentage change of "total of Value1" and "total of Value2"

So i want to calculate two total fields to add a third total field because the last field shouldn't be the total of all percentage.
I already got the first 3 fields but could not find out how to add a second field with addtotals

``````addtotals col=true row=false "Value1", "Value2", labelfield="Date" label="total"
``````

Is this possible?

Thx!

Tags (3)
1 Solution
Esteemed Legend

``````index=_* sourcetype=splunkd component=metrics
| timechart span=1h avg(kb) AS Value1 avg(ev) AS Value2 avg(load_average) AS Peercentage

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution:"

| appendpipe [ stats sum(Value1) AS Value1 sum(Value2) AS Value2 avg(Percentage) AS Percentage ]
| fillnull value="total"
``````
Esteemed Legend

``````index=_* sourcetype=splunkd component=metrics
| timechart span=1h avg(kb) AS Value1 avg(ev) AS Value2 avg(load_average) AS Peercentage

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution:"

| appendpipe [ stats sum(Value1) AS Value1 sum(Value2) AS Value2 avg(Percentage) AS Percentage ]
| fillnull value="total"
``````
New Member

appendpipe did it for me.

I have two combined subsearches (different timeframes) so i had to calculate the percentage for the two totals manually:

``````index=xxx "search pattern" dvc=xxx earliest="05/07/2018:00:00:00" latest="05/08/2018:00:00:00"
| multikv
| timechart span=30m count as today
| appendcols [ search index=xxx "search pattern" dvc=xxx earliest="04/30/2018:00:00:00" latest="05/01/2018:00:00:00"
| multikv
| timechart span=30m count as yesterday ]
| eval percentage = round((today / yesterday - 1) * 100, 2)
| rename yesterday as "Value1", today as "Value2", percentage as "Percent", _time as "time"
| convert ctime("time")
| table "time", "Value1", "Value2", "Percent"
| appendpipe [ eventstats sum("Value2") as total_today, sum("Value1") as total_yesterday
| eval perc_sum = round((total_today / total_yesterday -1) * 100, 2)
| stats sum("Value1") as "Value1", sum("Value2") as "Value2", values(perc_sum) as "Percent"]
| fillnull value="total"
``````

Thank you very much!

State of Splunk Careers