Splunk Search

Can we name the addcoltotals field in a bar chart?

vrmandadi
Builder

I ran this search:

.....| chart  count by TYPE | addcoltotals labelfield=total 

and got these results:

type    count     total
a         2
b         2
c         2          
          6       total

I visualized the above result in a bar chart, but the total field does not have any name to it like a or b or c .....is there any way that the bar chart can have a name called total?

0 Karma
1 Solution

ngatchasandra
Builder

Hi vrmandadi,

Try with fillnull command to have a name for it like follow in your bar graph

 .....| chart  count by TYPE | addcoltotals labelfield=total |fillnull value=TOTAL

Or you can try:

.....| chart  count by TYPE | addcoltotals labelfield=TYPE label=total

View solution in original post

maciep
Champion

haven't done any testing but what if you set labelfield to TYPE

.... | addcoltotals labelfield=TYPE

So that you end up with data that looks like this instead

TYPE       count
 a               2
 b               2
 c               2          
 total         6

Since you are chart'ing by TYPE, I don't think you'd see a new field you named total

0 Karma

ngatchasandra
Builder

Hi vrmandadi,

Try with fillnull command to have a name for it like follow in your bar graph

 .....| chart  count by TYPE | addcoltotals labelfield=total |fillnull value=TOTAL

Or you can try:

.....| chart  count by TYPE | addcoltotals labelfield=TYPE label=total

ngatchasandra
Builder

Thanks vrmandadi,

I see that you sent me also points. You could also do it by just vote has left my response

0 Karma

vrmandadi
Builder

thanks a lot the first query worked just with a small change

chart count by TYPE | addcoltotals labelfield=total |fillnull value=TOTAL |fields -total

0 Karma

gyslainlatsa
Motivator

hi,

try like this:

your base search | chart count by TYPE |addcoltotals labelfield=TOTAL label=Total
0 Karma

vrmandadi
Builder

This is same as the search i typed and the result is the same,,when I see the bar graph I cannot see the name for it

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this

your base search | chart count by TYPE | addcoltotals | eval TYPE=coalesce(TYPE,"total")

OR

your base search | chart count by TYPE | appendpipe [| stats sum(count) as count | eval TYPE="total"]

Updated
Total as separate series/column

  your base search | chart count by TYPE | eventstats sum(count) as total
0 Karma

vrmandadi
Builder

Hi Somesh,

I tried using the above two searches but none of them gave me name on the bar graph ,the second search adds all total and again adds the total with the above count.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Both the search should give an output like this

type count
a         2
b         2
c         2 
total   6

Both column and bar chart gives me a bar/column with name total. I guess you're talking about the legend where the name of series is only count. If you want to have total as separate series, try the updated answer.

0 Karma

vrmandadi
Builder

| chart count by MESSAGE_TYPE | addcoltotals labelfield=total |fillnull value=TOTAL |fields- total

this worked...the updated query gives a separate column total and each row is having the the total

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...