Splunk Search

Changing position of addtotals label Field

Path Finder

I'm using the addtotals command to sum values I have in a given column of a report. The total shows up just like I want however I'm trying to figure out how to put a descriptive name to it in a specific position. Here's my table that my search string produces:

Parameter Breakdown                                     count
Reports with RF Paramaters values as n/a              6
Reports with RxPwr out of spec                      2
Reports with TxPwr value out of spec                  8

Here are the last few lines of my search string:

| chart count by RFFailure_Stats
| rename RFFailure_Stats AS "Parameter Breakdown"
| addtotals col=t row=f

What I'd like to see is the following:

Parameter Breakdown                                count
Reports with RF Paramaters values as n/a    6
Reports with RxPwr out of spec                          2
Reports with TxPwr value out of spec            8
Total Count                                                           16                 <<<<<<<

If I use

| addtotals col=t row=f labelfield=Total_count

I get the following:

Parameter Breakdown                                count  Total_count
Reports with RF Paramaters values as n/a    6
Reports with RxPwr out of spec                          2
Reports with TxPwr value out of spec            8
                                                                                16       Total

Is there a way to accomplish what I am after?

Tags (2)
0 Karma
1 Solution

Revered Legend

Try this

 ...your base search...| chart count by RFFailure_Stats
| addtotals col=t row=f labelfield=RFFailure_Stats label="Total count"
| rename RFFailure_Stats AS "Parameter Breakdown"

View solution in original post

Revered Legend

Try this

 ...your base search...| chart count by RFFailure_Stats
| addtotals col=t row=f labelfield=RFFailure_Stats label="Total count"
| rename RFFailure_Stats AS "Parameter Breakdown"

Path Finder

I have it working now. Thanks again for the suggestion.

0 Karma


Please mark this as answered in this case - thx

0 Karma


Using somesoni2 example worked over here:

index=_internal | stats sum(bytes) as bytes by user | addtotals col=t row=f fieldname=bytes label="Total Bytes" labelfield="user" | rename user as "Splunk Users"

Path Finder

Thanks for your response. Tried what you suggested and got the same result.

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...