Splunk Search

How do I get addtotals to exclude one of the column?

New Member

I need to addtotals to exclude one of the columns created as a result of chart command.
P.S: I need exclusion, not inclusion.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

addtotals | eval Total=(Total - ExcludedField)

0 Karma

New Member

|addtotals label=total labelfiled=field which you want to remove

0 Karma

Revered Legend

If the name of fields that you want to include is finite and is known, use @adonio's answer. If they are dynamic but you know which one to exclude, try this workaround,
Updated

your current search | rename field_to_exclude as dont_field_to_exclude  * as include_* | addcoltotals include_* | rename dont_field_to_exclude as field_to_exclude   include_* as *
0 Karma

SplunkTrust
SplunkTrust

@somesoni2 - Shouldn't your first rename be...

| rename * as include_*, field_to_exclude as dont_field_to_exclude

Revered Legend

Yes, I tried to copy it to next rename and did cut instead. Thanks for pointing that out.

SplunkTrust
SplunkTrust

hello pkaarana,
you can use addcoltotals with fields and specify only the fields that you want. example here:
index = _internal | stats sum(bytes) as totalBytes avg(bytes) as avgBytes by host | addcoltotals totalBytes

0 Karma

New Member

This isn't an answer but the question was about addtotals not addcoltotals. If, for instance, I want to exclude the first column of a chart from a row total, how is that done?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!