Splunk Search

How to add a separate column which displays the total of the count?

pavanae
Builder

The following is my search

…..My Search…… | stats count by orderid,source,host

Which displays the following results

orderid source host count
971729145 /jboss/server/12commerce/log/server.log kvcldprdapp02a 1
106283305 /jboss/server/20cap/log/server.log kvcldprdapp01b 1
147093787 /jboss/server/13commerce/log/server.log kvcldprdapp08b 1
569279529 /jboss/server/11commerce/log/server.log kvcldprdapp01a 2
670563206 /jboss/server/13commerce/log/server.log kvcldprdapp03b 1
862422991 /jboss/server/12commerce/log/server.log kvcldprdapp07b 1
038357748 /jboss/server/12commerce/log/server.log kvcldprdapp03b 1

Now how can i modify my search to display a separate column and shows the total count as follows

orderid source host count Total_Count
971729145 /jboss/server/12commerce/log/server.log kvcldprdapp02a 1 8
106283305 /jboss/server/20cap/log/server.log kvcldprdapp01b 1
147093787 /jboss/server/13commerce/log/server.log kvcldprdapp08b 1
569279529 /jboss/server/11commerce/log/server.log kvcldprdapp01a 2
670563206 /jboss/server/13commerce/log/server.log kvcldprdapp03b 1
862422991 /jboss/server/12commerce/log/server.log kvcldprdapp07b 1
038357748 /jboss/server/12commerce/log/server.log kvcldprdapp03b 1

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

…..My Search…… | stats count by orderid,source,host | eventstats sum(count) as Total_Count

View solution in original post

rroberts
Splunk Employee
Splunk Employee

Have you tried adding ... | appendpipe [stats sum(count) as Total_Count]

somesoni2
SplunkTrust
SplunkTrust

Appendpipe will add a row with total, not the Total as separate column

0 Karma

rroberts
Splunk Employee
Splunk Employee

Yes, but you'll get the total repeated on each row with eventstats. I think he only wants the grand total displayed once?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Well I may be wrong with interpretation of his requirement. And when I look at the expected output, yes that's misleading.
Guess it upto @pravanae, to decide which format he wanted.

0 Karma

rroberts
Splunk Employee
Splunk Employee

Indeed. I could be wrong too!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

…..My Search…… | stats count by orderid,source,host | eventstats sum(count) as Total_Count
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...