Splunk Search

How do I add a number to addColTotals?

karunanaik
Engager

Here is my search query

index=nonprod CFE_AppName=abc
CFE_Environment=dev Appointment has
been booked | rex field=_raw
"Appointment has been booked
dept: (?.*)" | stats
count by dept | addColTotals

How can I add a static number to addColTotals? For example if addColTotals is 30 then I want to display 30+100 which is 130.

Tags (1)
1 Solution

woodcock
Esteemed Legend

Like this:

| windbag 
| rename lang AS dept 

| stats count BY dept 
| addcoltotals
| fillnull value="GRAND_TOTAL" dept
| eval count = count + if(dept=="GRAND_TOTAL", 100, 0)

View solution in original post

woodcock
Esteemed Legend

Like this:

| windbag 
| rename lang AS dept 

| stats count BY dept 
| addcoltotals
| fillnull value="GRAND_TOTAL" dept
| eval count = count + if(dept=="GRAND_TOTAL", 100, 0)

aberkow
Builder

Does this example make sense? You should be using dept instead of _time for yours:

| makeresults count=3
| streamstats count
| addcoltotals
| eval _time=if(isnull(_time), "addcoltotalscolumn", _time)
| eval count=if(_time="addcoltotalscolumn", count+100, count)

Essentially, you find the column that corresponds to the addtotalscolumn (it should have a null department, I then tag it with a string), and then add 100 to the count for that row. You can also do this in one line w/

| eval count=if(isnull(_time), count+100, count), but this is a bit harder to understand what's going on!

Hope this helps

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...