Re: column totals

a212830 · ‎06-25-2014

Hi,

I want to add some totals for a search. The search is below, and it works fine. How would I then add:

totals for all hosts
subtotal by index and sourcetype

index=ngcc* |fields host, index, sourcetype |dedup host, index, sourcetype |table host, index, sourcetype |sort host

somesoni2 · ‎06-25-2014

Give this a try

index=ngcc* |fields host, index, sourcetype |dedup host, index, sourcetype |table host, index, sourcetype |sort host | eventstats count as GrandTotal | eventstats count as SubTotal by index, sourcetype

OR simply

index=ngcc*  |stats count by host, index, sourcetype  | fields - count | stats count as SubTotal by index, sourcetype | eventstats sum(SubTotal) as AllHostTotal

lpolo · ‎06-25-2014

I am not sure what you need to but try this query. It might help you to get what you need:

  index=ngcc*|fields host, index, sourcetype  |dedup host, index, sourcetype  |table host, index, sourcetype |sort host|streamstats count

martin_mueller · ‎06-25-2014

Are you looking to count values by some fields? Take a look at the stats command: http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/stats

I'm not quite sure what your desired result looks like, maybe post an example.

column totals

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!