Solved: How do you create a total column in a chart?

barrowvian · ‎09-17-2018

Hi,

I'm pretty new to Splunk and have been playing around with it.

index=sse_cae_summary_idx new_sourcetype=sse_altair_log_summary_stype 
| search FEATURE_NAME="HWHyperMesh*"  FEATURE_VERSION="9.0" 
| eval DurationHour=DURATION/3600 
| chart dc(USER_NAME) as "Unique Users" by USER_NAME

The above code simply gives me each unique user that is using version 9 of Hypermesh. The chart has two columns, username and unique users. The unique users column has a 1 in for each of the users . Ideally, I'd rather have a total column that just details the amount of unique users that are in the search. Please could someone help me out? Thank you.

harishalipaka · ‎09-18-2018

hi @barrowvian

try to add end of your query with | addtotals or | addcoltotals

Thanks
Harish

View solution in original post

barrowvian · ‎09-18-2018

|addcoltotals

harishalipaka · ‎09-18-2018

hi @barrowvian

try to add end of your query with | addtotals or | addcoltotals

Thanks
Harish

barrowvian · ‎09-18-2018

That worked perfectly, thank you. Was literally just reading about it as you posted.

renjith_nair · ‎09-17-2018

@barrowvian,

Just add to your search |eventstats sum("Unique Users") as Total to get a total in each record

Happy Splunking!

barrowvian · ‎09-17-2018

Thanks, but this creates a separate column with a value in each of the rows ..

e.g.
User_Name Unique Users Total
User1 1 3
User2 1 3
User3 1 3

Is there a way to just have one field with the total value in instead? Thank you.

renjith_nair · ‎09-17-2018

@barrowvian,
Ofcourse we can do it. just to be clear, how does your final output should look like?

Happy Splunking!

How do you create a total column in a chart?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life