Splunk Search

how to add the total in GB

harishsplunk7
Explorer

I need to add the total GB.  Please let me know how to add the over all total. 

Index                Source-Type              GB
aws_vpcflow   - aws:vpcflow    26192.00305
                            -   aws:cloudwatchlogs:vpcflow 32.695269
windows     -     windows:fluentd     19939.02727
                         -     windows                9713.832884
                         -     WinEventLog:Security   8.928759
Labels (6)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try switching the last two lines

| addtotals col=t row=f labelfield=Index label="Overall Total"
| stats  list(SourceType) as "Source-Type", list(GB) as GB by Index

View solution in original post

0 Karma

meetmshah
Builder

You can use addtotals as below - 

| addtotals col=t row=f labelfield=index label="Overall Total"

 

Please accept the solution and hit Karma, if this helps!

0 Karma

harishsplunk7
Explorer

If i use the 

| addtotals col=t row=f labelfield=Index label="Overall Total"

, I am getting incorrect total result ,
becuase one index and multiple sourcetype values are there. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share your actual events (anonymised appropriately) in a codeblock

0 Karma

harishsplunk7
Explorer

Please find teh below sample values

IndexSource-TypeGB
aws_vpcflowaws:vpcflow10
aws:cloudwatchlogs:vpcflow20
windowswindows:fluentd30
windows40
WinEventLog:Security50
cloud cloud_watch60
aws_cloud70
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What search did you use to get this table?

0 Karma

harishsplunk7
Explorer
index=_internal source=/opt/splunk/var/log/splunk/license_usage.log type=Usage
| stats sum(b) as bytes by st , idx
| eval GB=round(bytes/(1024*1024*1024),6)
| table st, idx, GB
| sort -GB
| eventstats sum(GB) as total

| eval Percentage=round((GB/total)*100,6)
| rename st as SourceType
| rename idx as Index

| stats list(SourceType) as "Source-Type", list(GB) as GB by Index
| addtotals col=t row=f labelfield=Index label="Overall Total"
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Or

| stats  list(SourceType) as "Source-Type", list(GB) as GB by Index
| appendpipe
    [| stats sum(GB) as GB
    | eval Index="Overall Total"]
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try switching the last two lines

| addtotals col=t row=f labelfield=Index label="Overall Total"
| stats  list(SourceType) as "Source-Type", list(GB) as GB by Index
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...