Splunk Search

How do you create a total column in a chart?

barrowvian
Explorer

Hi,

I'm pretty new to Splunk and have been playing around with it.

index=sse_cae_summary_idx new_sourcetype=sse_altair_log_summary_stype 
| search FEATURE_NAME="HWHyperMesh*"  FEATURE_VERSION="9.0" 
| eval DurationHour=DURATION/3600 
| chart dc(USER_NAME) as "Unique Users" by USER_NAME

The above code simply gives me each unique user that is using version 9 of Hypermesh. The chart has two columns, username and unique users. The unique users column has a 1 in for each of the users . Ideally, I'd rather have a total column that just details the amount of unique users that are in the search. Please could someone help me out? Thank you.

1 Solution

harishalipaka
Motivator

hi @barrowvian

try to add end of your query with | addtotals or | addcoltotals

Thanks
Harish

View solution in original post

barrowvian
Explorer

|addcoltotals

0 Karma

harishalipaka
Motivator

hi @barrowvian

try to add end of your query with | addtotals or | addcoltotals

Thanks
Harish

barrowvian
Explorer

That worked perfectly, thank you. Was literally just reading about it as you posted.

0 Karma

renjith_nair
Legend

@barrowvian,

Just add to your search |eventstats sum("Unique Users") as Total to get a total in each record

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

barrowvian
Explorer

Thanks, but this creates a separate column with a value in each of the rows ..

e.g.
User_Name Unique Users Total
User1 1 3
User2 1 3
User3 1 3

Is there a way to just have one field with the total value in instead? Thank you.

0 Karma

renjith_nair
Legend

@barrowvian,
Ofcourse we can do it. just to be clear, how does your final output should look like?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...