Splunk Search

Create a new row to the table which is the sum of existing rows

amargovindan
New Member

How to have an additional row on the top which basically adds up the sum of below rows of the table
The consuming_app value as "ALL" and the remaining fileds as the sum of below rows.

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

your current search producing table with consuming_app count and other fields
| appendpipe [| stats sum(*) as * | eval consuming_app="1. ALL" ] 
| sort consuming_app | eval consuming_app=if(consuming_app="1. ALL","ALL",consuming_app)

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this

your current search producing table with consuming_app count and other fields
| appendpipe [| stats sum(*) as * | eval consuming_app="1. ALL" ] 
| sort consuming_app | eval consuming_app=if(consuming_app="1. ALL","ALL",consuming_app)
0 Karma

amargovindan
New Member

Thanks Much ..Perfectly worked

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...