column totals

a212830 · ‎06-25-2014

Hi,

I want to add some totals for a search. The search is below, and it works fine. How would I then add:

totals for all hosts
subtotal by index and sourcetype

index=ngcc* |fields host, index, sourcetype |dedup host, index, sourcetype |table host, index, sourcetype |sort host

somesoni2 · ‎06-25-2014

Give this a try

index=ngcc* |fields host, index, sourcetype |dedup host, index, sourcetype |table host, index, sourcetype |sort host | eventstats count as GrandTotal | eventstats count as SubTotal by index, sourcetype

OR simply

index=ngcc*  |stats count by host, index, sourcetype  | fields - count | stats count as SubTotal by index, sourcetype | eventstats sum(SubTotal) as AllHostTotal

lpolo · ‎06-25-2014

I am not sure what you need to but try this query. It might help you to get what you need:

  index=ngcc*|fields host, index, sourcetype  |dedup host, index, sourcetype  |table host, index, sourcetype |sort host|streamstats count

martin_mueller · ‎06-25-2014

Are you looking to count values by some fields? Take a look at the stats command: http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/stats

I'm not quite sure what your desired result looks like, maybe post an example.

column totals

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?