Splunk Search

How can I add a Total for the count of events from different index or sourcetypes?

digital_alchemy
Path Finder

I'm searching blocked events from the firewall and Palo Alto logs and would like to add a line to show the Total of the two combined. I'm having trouble adding the line showing the total of the counts for the two individual indexes.

Current search:

index=firewalls OR index=paloalto action=blocked | stats count as "Blocked Events" by index

I would like the results to look like

firewalls 10
paloalto 25
total 35

Tags (2)
1 Solution

skoelpin
SplunkTrust
SplunkTrust

You should use addcoltotals

It will look something like this

| addcoltotals label=Total labelfield=status

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

You should use addcoltotals

It will look something like this

| addcoltotals label=Total labelfield=status

View solution in original post

digital_alchemy
Path Finder

Thanks.. this works

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!