Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing position of addtotals label Field

hcastell
Path Finder
‎10-30-2014 07:13 AM

I'm using the addtotals command to sum values I have in a given column of a report. The total shows up just like I want however I'm trying to figure out how to put a descriptive name to it in a specific position. Here's my table that my search string produces:

Parameter Breakdown                                     count
Reports with RF Paramaters values as n/a              6
Reports with RxPwr out of spec                      2
Reports with TxPwr value out of spec                  8
                                                     16

Here are the last few lines of my search string:

| chart count by RFFailure_Stats
| rename RFFailure_Stats AS "Parameter Breakdown"
| addtotals col=t row=f

What I'd like to see is the following:

Parameter Breakdown                                count
Reports with RF Paramaters values as n/a    6
Reports with RxPwr out of spec                          2
Reports with TxPwr value out of spec            8
Total Count                                                           16                 <<<<<<<

If I use

| addtotals col=t row=f labelfield=Total_count

I get the following:

Parameter Breakdown                                count  Total_count
Reports with RF Paramaters values as n/a    6
Reports with RxPwr out of spec                          2
Reports with TxPwr value out of spec            8
                                                                                16       Total

Is there a way to accomplish what I am after?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-30-2014 07:48 AM

Try this

 ...your base search...| chart count by RFFailure_Stats
| addtotals col=t row=f labelfield=RFFailure_Stats label="Total count"
| rename RFFailure_Stats AS "Parameter Breakdown"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-30-2014 07:48 AM

Try this

 ...your base search...| chart count by RFFailure_Stats
| addtotals col=t row=f labelfield=RFFailure_Stats label="Total count"
| rename RFFailure_Stats AS "Parameter Breakdown"
Reply
Solved! Jump to solution

hcastell
Path Finder
‎10-31-2014 05:32 AM

I have it working now. Thanks again for the suggestion.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎10-31-2014 05:49 AM

Please mark this as answered in this case - thx

0 Karma
Reply
Solved! Jump to solution

musskopf
Builder
‎10-30-2014 03:25 PM

Using somesoni2 example worked over here:

index=_internal | stats sum(bytes) as bytes by user | addtotals col=t row=f fieldname=bytes label="Total Bytes" labelfield="user" | rename user as "Splunk Users"
Reply
Solved! Jump to solution

hcastell
Path Finder
‎10-30-2014 08:21 AM

Thanks for your response. Tried what you suggested and got the same result.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...