Solved: Show subtotals in results table

MatMeredith · ‎04-22-2013

I have a search returning results in a table with columns for:
date, username, eventcount

I'd like to display subtotals in the table something like this.

Monday, Fred, 7
Monday, Joe, 15
Totals for Monday 22
Tuesday, Fred 10
Totals for Tuesday 10
etc

Is it possible?

kristian_kolb · ‎04-22-2013

Appendpipe might hold the answers for you;

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendpipe

your base search | stats count by date username | appendpipe [stats sum(count) as count by date | eval username = "Total"]

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-22-2013

Appendpipe might hold the answers for you;

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendpipe

your base search | stats count by date username | appendpipe [stats sum(count) as count by date | eval username = "Total"]

Hope this helps,

Kristian

kristian_kolb · ‎04-22-2013

eval username = "Totals for " ?

MatMeredith · ‎04-22-2013

Thanks -- that looks like it'll do the job. Now I just need to figure whether I can get those total rows formatted differently (like shown in bold)...

Show subtotals in results table

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor