Splunk Search

How to add final total count of results without adding another column?

Path Finder

I can't seem to figure out a way to add a bottom row for a total count of results (records) to the end of the results without adding another column for a count and then totaling that column. There must be an easier way.

I can't use |stats count which is the number I'm looking for because that suppresses the details of the results.
Using |stats count by ....(all my fields needed in output) works but it adds an unwanted column for the count. If I try to use |fields - count that breaks the total count.

I know there must be a way for this - please help!

0 Karma


You could just append a stats count search to your current search. Its not as efficient as the above suggestions but might work as a quick fix if the above is too complicated. A little frustrating that you have to do the same search twice though ...

your_base_search | table field1, field2 | append [ your_base_search | stats count | eval field1="TOTAL EVENTS" | rename count AS field2 ]

An alternative would be to create a count column but then remove it by adding the total count and label to one of your other columns:

your_base_search | eval count=1 | addcoltotals labelfield=field1 label="TOTAL EVENTS" | eval field2=if(field1="TOTAL EVENTS",count,field2) | fields - count


Try using Splunk commands addcoltotals or addtotals as per your need. Refer to following Splunk documentations:

Also with latest Splunk Enterprise 6.5 version this feature is inbuilt in UI for tables being printed. Once a table is saved as Dashaboard panel turning on Summary>Totals prints the column totals.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

ok ... I don't have a need to total columns of numbers so this wouldn't apply. I know I can add a column to my output for the sake of using one of these functions but I don't want to add a column that displays a '1' for every record just so I can get a grand total count at the bottom.

0 Karma


I have edited my answer, you can try using $job.resultCount$ and print anywhere in the panel you like. In Splunk 6.x Dashaborad Examples code, it has been added as Panel Title. Please check and see if it solves your problem.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

wowzers ... I'm not even sure how to incorporate that into my simple dashboard 🙂 There must be a simpler way to get the same result such as with an |appendpipe or some other feature.

0 Karma


This is Simple XML example, so it does not require you to add additional css/js ot HTML code. You can refer to Splunk 6.x Dashboard Examples app for details. Just edit source of your existing code and place job.resultCount related code in Chart <title> , <search><progress> and <search><cancelled>. The progress event sets the token sourcetype_count (could be any variable name). Cancelled event resets the token and Title section uses the token. (It is not that tough as it seems :))

PS: Splunk itself uses the same variable for knowing whether Search returned result or not. For example N/A being displayed when search returns not result.

Other options if you do not want to use job.resultCount would be

1) Use accum : ... |eval sno=0 | sno=sno+1 | accum sno| ...

2) Enable Row Number: Edit Panel, Choose Edit Table option and Under General settings set Row Numbers as Yes.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


Oh I now understand. You might have to use $job.resultCount$ property for **** event and then assign it to a token to be used later in your Panel as HTML.

Check Search Result Setter in Splunk 6.x Dashboard Examples

        <title>Top sourcetypes ($sourcetype_count$ total sourcetypes)</title>
          <query>index=_internal |  top sourcetype</query>
          <!-- Use the following search events to access job properties, and set tokens that can be accessible throughout the page -->
          <!-- Progress event has access to job properties only (not first result row) -->
            <set token="sourcetype_count">$job.resultCount$</set>
            <unset token="sourcetype_count"></unset>
        <option name="charting.chart">bar</option>
        <option name="charting.legend.placement">none</option>
| makeresults | eval message= "Happy Splunking!!!"


Excellent. This works like a charm. 
With this solution, we can show the number of returned results outside a XML table.
Great. Thank you.

0 Karma

Super Champion

can you just add |addcoltotals

Path Finder

No, that only totals up columns. I have no column to total that will give a total count.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...