Splunk Search

How do I use the addcoltotals command with a stats list or stats values?

johnward4
Communicator

How do I use addcoltotals with a stats list or with stats values?

I'm trying to include the totals for each line value after running a stats list or values on a field with a numeric value and pipe addcoltotals , but it is skipping any values that are represented in my list or values table visualization. Anyone know how to get this to work?

| stats values(Total) as Total, values(example) as example by thing
| table thing, example, Total
| addcoltotals labelfield=thing label="Grand Total:"
0 Karma
1 Solution

KailA
Contributor

Hi,

Can you try something like that

| eventstats sum(Total) as GrandTotal by things
| stats values(Total) as Total, values(example) as example values(GrandTotal) as GrandTotal by thing
| table thing, example, Total,GrandTotal

Doing the sum of the Total before should be a good solution.

KailA

View solution in original post

vinaykata
Path Finder

Your search is almost correct try using sum(Total) instead of values.

Your search | stats sum(Total) as Total by host | addcoltotals labelfield="fieldName" label="GrandTotal" | your table command

0 Karma

KailA
Contributor

Hi,

Can you try something like that

| eventstats sum(Total) as GrandTotal by things
| stats values(Total) as Total, values(example) as example values(GrandTotal) as GrandTotal by thing
| table thing, example, Total,GrandTotal

Doing the sum of the Total before should be a good solution.

KailA

johnward4
Communicator

alt text

0 Karma

Vijeta
Influencer

When you do list or value even on numeric values I believe the list command converts it into string and that is why you cannot add multivalued column. I would rather do it as

  stats sum(Total) by Example Thing
0 Karma

Vijeta
Influencer

Can you please give an example of data or output that you are expecting? Anyways addcoltotals will not work with list or value as they are non-numeric

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...