Splunk Search

How do I add a number to addColTotals?


Here is my search query

index=nonprod CFEAppName=abc
Environment=dev Appointment has
been booked | rex field=_raw
"Appointment has been booked
dept: (?.*)" | stats
count by dept | addColTotals

How can I add a static number to addColTotals? For example if addColTotals is 30 then I want to display 30+100 which is 130.

Tags (1)

Re: How do I add a number to addColTotals?


Does this example make sense? You should be using dept instead of _time for yours:

| makeresults count=3
| streamstats count
| addcoltotals
| eval _time=if(isnull(_time), "addcoltotalscolumn", _time)
| eval count=if(_time="addcoltotalscolumn", count+100, count)

Essentially, you find the column that corresponds to the addtotalscolumn (it should have a null department, I then tag it with a string), and then add 100 to the count for that row. You can also do this in one line w/

| eval count=if(isnull(_time), count+100, count), but this is a bit harder to understand what's going on!

Hope this helps

0 Karma

Re: How do I add a number to addColTotals?

Esteemed Legend

Like this:

| windbag 
| rename lang AS dept 

| stats count BY dept 
| addcoltotals
| fillnull value="GRAND_TOTAL" dept
| eval count = count + if(dept=="GRAND_TOTAL", 100, 0)

View solution in original post