Splunk Search

how to add the total in GB

harishsplunk7
Explorer

I need to add the total GB.  Please let me know how to add the over all total. 

Index                Source-Type              GB
aws_vpcflow   - aws:vpcflow    26192.00305
                            -   aws:cloudwatchlogs:vpcflow 32.695269
windows     -     windows:fluentd     19939.02727
                         -     windows                9713.832884
                         -     WinEventLog:Security   8.928759
Labels (6)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try switching the last two lines

| addtotals col=t row=f labelfield=Index label="Overall Total"
| stats  list(SourceType) as "Source-Type", list(GB) as GB by Index

View solution in original post

0 Karma

meetmshah
Builder

You can use addtotals as below - 

| addtotals col=t row=f labelfield=index label="Overall Total"

 

Please accept the solution and hit Karma, if this helps!

0 Karma

harishsplunk7
Explorer

If i use the 

| addtotals col=t row=f labelfield=Index label="Overall Total"

, I am getting incorrect total result ,
becuase one index and multiple sourcetype values are there. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share your actual events (anonymised appropriately) in a codeblock

0 Karma

harishsplunk7
Explorer

Please find teh below sample values

IndexSource-TypeGB
aws_vpcflowaws:vpcflow10
aws:cloudwatchlogs:vpcflow20
windowswindows:fluentd30
windows40
WinEventLog:Security50
cloud cloud_watch60
aws_cloud70
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What search did you use to get this table?

0 Karma

harishsplunk7
Explorer
index=_internal source=/opt/splunk/var/log/splunk/license_usage.log type=Usage
| stats sum(b) as bytes by st , idx
| eval GB=round(bytes/(1024*1024*1024),6)
| table st, idx, GB
| sort -GB
| eventstats sum(GB) as total

| eval Percentage=round((GB/total)*100,6)
| rename st as SourceType
| rename idx as Index

| stats list(SourceType) as "Source-Type", list(GB) as GB by Index
| addtotals col=t row=f labelfield=Index label="Overall Total"
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Or

| stats  list(SourceType) as "Source-Type", list(GB) as GB by Index
| appendpipe
    [| stats sum(GB) as GB
    | eval Index="Overall Total"]
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try switching the last two lines

| addtotals col=t row=f labelfield=Index label="Overall Total"
| stats  list(SourceType) as "Source-Type", list(GB) as GB by Index
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...