Solved: Can we name the addcoltotals field in a bar chart?

vrmandadi · ‎03-03-2016

I ran this search:

.....| chart  count by TYPE | addcoltotals labelfield=total

and got these results:

type    count     total
a         2
b         2
c         2          
          6       total

I visualized the above result in a bar chart, but the total field does not have any name to it like a or b or c .....is there any way that the bar chart can have a name called total?

ngatchasandra · ‎03-03-2016

Hi vrmandadi,

Try with fillnull command to have a name for it like follow in your bar graph

 .....| chart  count by TYPE | addcoltotals labelfield=total |fillnull value=TOTAL

Or you can try:

.....| chart  count by TYPE | addcoltotals labelfield=TYPE label=total

View solution in original post

maciep · ‎03-03-2016

haven't done any testing but what if you set labelfield to TYPE

.... | addcoltotals labelfield=TYPE

So that you end up with data that looks like this instead

TYPE       count
 a               2
 b               2
 c               2          
 total         6

Since you are chart'ing by TYPE, I don't think you'd see a new field you named total

ngatchasandra · ‎03-03-2016

Hi vrmandadi,

Try with fillnull command to have a name for it like follow in your bar graph

 .....| chart  count by TYPE | addcoltotals labelfield=total |fillnull value=TOTAL

Or you can try:

.....| chart  count by TYPE | addcoltotals labelfield=TYPE label=total

ngatchasandra · ‎03-07-2016

Thanks vrmandadi,

I see that you sent me also points. You could also do it by just vote has left my response

vrmandadi · ‎03-04-2016

thanks a lot the first query worked just with a small change

chart count by TYPE | addcoltotals labelfield=total |fillnull value=TOTAL |fields -total

gyslainlatsa · ‎03-03-2016

hi,

try like this:

your base search | chart count by TYPE |addcoltotals labelfield=TOTAL label=Total

vrmandadi · ‎03-03-2016

This is same as the search i typed and the result is the same,,when I see the bar graph I cannot see the name for it

somesoni2 · ‎03-03-2016

Try something like this

your base search | chart count by TYPE | addcoltotals | eval TYPE=coalesce(TYPE,"total")

OR

your base search | chart count by TYPE | appendpipe [| stats sum(count) as count | eval TYPE="total"]

Updated
Total as separate series/column

  your base search | chart count by TYPE | eventstats sum(count) as total

vrmandadi · ‎03-03-2016

Hi Somesh,

I tried using the above two searches but none of them gave me name on the bar graph ,the second search adds all total and again adds the total with the above count.

somesoni2 · ‎03-03-2016

Both the search should give an output like this

type count
a         2
b         2
c         2 
total   6

Both column and bar chart gives me a bar/column with name total. I guess you're talking about the legend where the name of series is only count. If you want to have total as separate series, try the updated answer.

vrmandadi · ‎03-04-2016

| chart count by MESSAGE_TYPE | addcoltotals labelfield=total |fillnull value=TOTAL |fields- total

this worked...the updated query gives a separate column total and each row is having the the total

Can we name the addcoltotals field in a bar chart?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Can we name the addcoltotals field in a bar chart?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions