Solved: How do I add a number to addColTotals?

karunanaik · ‎12-18-2019

Here is my search query

index=nonprod CFE_AppName=abc
CFE_Environment=dev Appointment has
been booked | rex field=_raw
"Appointment has been booked
dept: (?.*)" | stats
count by dept | addColTotals

How can I add a static number to addColTotals? For example if addColTotals is 30 then I want to display 30+100 which is 130.

woodcock · ‎12-18-2019

Like this:

| windbag 
| rename lang AS dept 

| stats count BY dept 
| addcoltotals
| fillnull value="GRAND_TOTAL" dept
| eval count = count + if(dept=="GRAND_TOTAL", 100, 0)

View solution in original post

woodcock · ‎12-18-2019

Like this:

| windbag 
| rename lang AS dept 

| stats count BY dept 
| addcoltotals
| fillnull value="GRAND_TOTAL" dept
| eval count = count + if(dept=="GRAND_TOTAL", 100, 0)

aberkow · ‎12-18-2019

Does this example make sense? You should be using dept instead of _time for yours:

| makeresults count=3
| streamstats count
| addcoltotals
| eval _time=if(isnull(_time), "addcoltotalscolumn", _time)
| eval count=if(_time="addcoltotalscolumn", count+100, count)

Essentially, you find the column that corresponds to the addtotalscolumn (it should have a null department, I then tag it with a string), and then add 100 to the count for that row. You can also do this in one line w/

| eval count=if(isnull(_time), count+100, count), but this is a bit harder to understand what's going on!

Hope this helps

How do I add a number to addColTotals?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk