I need to add the total GB. Please let me know how to add the over all total.
Try switching the last two lines
| addtotals col=t row=f labelfield=Index label="Overall Total"
| stats list(SourceType) as "Source-Type", list(GB) as GB by Index
You can use addtotals as below -
| addtotals col=t row=f labelfield=index label="Overall Total"
Please accept the solution and hit Karma, if this helps!
If i use the
| addtotals col=t row=f labelfield=Index label="Overall Total"
, I am getting incorrect total result ,
becuase one index and multiple sourcetype values are there.
Please share your actual events (anonymised appropriately) in a codeblock
Please find teh below sample values
Index | Source-Type | GB |
aws_vpcflow | aws:vpcflow | 10 |
aws:cloudwatchlogs:vpcflow | 20 | |
windows | windows:fluentd | 30 |
windows | 40 | |
WinEventLog:Security | 50 | |
cloud | cloud_watch | 60 |
aws_cloud | 70 |
What search did you use to get this table?
index=_internal source=/opt/splunk/var/log/splunk/license_usage.log type=Usage
| stats sum(b) as bytes by st , idx
| eval GB=round(bytes/(1024*1024*1024),6)
| table st, idx, GB
| sort -GB
| eventstats sum(GB) as total
| eval Percentage=round((GB/total)*100,6)
| rename st as SourceType
| rename idx as Index
| stats list(SourceType) as "Source-Type", list(GB) as GB by Index
| addtotals col=t row=f labelfield=Index label="Overall Total"
Or
| stats list(SourceType) as "Source-Type", list(GB) as GB by Index
| appendpipe
[| stats sum(GB) as GB
| eval Index="Overall Total"]
Try switching the last two lines
| addtotals col=t row=f labelfield=Index label="Overall Total"
| stats list(SourceType) as "Source-Type", list(GB) as GB by Index