Splunk Search
Highlighted

how to ignore a column using addtotals/addcoltotals

New Member

Here is my search

index="aries" splunk tt=HL7* | 
chart count by si , tt | 
addtotals |
addcoltotals|
rename si as GenKey | 
rename count as Count

My GenKey/si is is an identifying number. I do not want to add the identifier into my totals, nor do I want a column total of the identifer. How do I ignore the identifier and just add the pertinent data from the table?

0 Karma
Highlighted

Re: how to ignore a column using addtotals/addcoltotals

Legend

I prefer eval to addtotals

eval total=field1 + field2 + field3

Instead of addcoltotals, use the addtotals command with the col option

addtotals col=true field1 field2 field3

BUT, you may have a more fundamental problem. After the second line of your command, you have only 3 fields available in the pipeline: count, si, tt. If that's what you want, then okay. The chart command is also making things weird, so I used the stats command instead

index="aries" splunk tt=HL7* | 
stats count by si , tt | 
eval total = count + tt|
addcoltotals col=t total count tt|
rename si as GenKey | 
rename count as Count
Highlighted

Re: how to ignore a column using addtotals/addcoltotals

New Member

|addtotals label=total labelfiled=field which you want to remove

0 Karma