Splunk Search

Why am I unable to add field values over timechart?

P_Orourke
Loves-to-Learn Lots

Hi,

I have 2 timecharts where I need to show a TOTAL count across specified field values. The first timechart must show the total count over all field values and the 2nd timechart must show the total count over 2 field values. I am unable to incorporate a stats or eval function before the timechart function.

Here is what my timecharts currently look like:
Cannot add totals on timecharts.PNG

And here is the respective XML code:
Cannot add totals on timecharts - XML.PNG


Can you please help?

Many thanks,

Patrick

Labels (2)
0 Karma

maciep
Champion

I'm not sure if I understand exactly what you're asking, but maybe you can use addtotals after your timehart?

 

 

... | addtotals row=t col=f labelfield="Total"

 

 

That should calcualte the total sum of any number columns in each row and store in a field called "Total", which should be present on your chart then.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...