Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF



The addtotals command computes the arithmetic sum of all numeric fields for each search result. The results appear in the Statistics tab in the Search & Reporting App.

You can specify a list of fields that you want the sum for, instead of calculating every numeric field. The sum is placed in a new field.

If col=true, the addtotals command computes the column totals, which adds a new result at the end that represents the sum of each field. labelfield, if specified, is a field that will be added to this summary event with the value set by the 'label' option. Alternately, instead of using the addtotals col=true command, you can use the addcoltotals command to calculate a summary event.


addtotals [row=<bool>] [col=<bool>] [labelfield=<field>] [label=<string>] [fieldname=<field>] [<field-list>]

Optional arguments

Syntax: <field> ...
Description: One or more numeric fields, delimited with a space. Only the fields specified in the <field-list> are summed. If a <field-list> is not specified, all numeric fields are included in the sum.
Usage: You can use wildcards in the field names. For example, if the field names are count1, count2, and count3 you can specify count* to indicate all fields that begin with 'count'.
Default: All numeric fields are included in the sum.
Syntax: row=<bool>
Description: Specifies whether to calculate the sum of the <field-list> for each event. This is similar to calculating a total for each row in a table. The sum is placed in a new field. The default name of the field is Total. If you want to specify a different name for the field, use the fieldname argument.
Usage: Because the default is row=true, specify the row argument only when you do not want the event totals to appear row=false.
Default: true
Syntax: col=<bool>
Description: Specifies whether to add a new event, referred to as a summary event, at the bottom of the list of events. The summary event displays the sum of each field in the events, similar to calculating column totals in a table.
Default: false
Syntax: fieldname=<field>
Description: Used to specify the name of the field that contains the calculated sum of the field-list for each event. The fieldname argument is valid only when row=true.
Default: Total
Syntax: labelfield=<field>
Description: Used to specify a field for the summary event label. The labelfield argument is valid only when col=true.
* To use an existing field in your result set, specify the field name for the labelfield argument. For example if the field name is IP, specify labelfield=IP.
* If there is no field in your result set that matches the lablefield, a new field is added using the labelfield value.
Default: none
Syntax: label=<string>
Description: Used to specify a row label for the summary event.
* If the labelfield argument is an existing field in your result set, the label value appears in that row in the display.
* If the labelfield argument creates a new field, the label appears in the new field in the summary event row.
Default: Total


1: Calculate the sum of the numeric fields of each event

... | addtotals

A new column is added to the results, using the default fieldname Total.


2. Specify a name for the field that contains the sums for each event

... | addtotals fieldname=sum

3. Use wildcards to specify the names of the fields to sum

Calculate the sums for the fields that begin with amount or that contain the text size in the field name. Save the sums in the field called TotalAmount.

... | addtotals fieldname=TotalAmount amount* *size*

4. Calculate the sum for a specific field

In this example, the row calculations are turned off. The total for only a single field is calculated.

....| table Product QTR1 |addtotals row=f col=t labelfield=Product QTR1


5. Calculate the sums of all the fields and add a label to the summary event

Calculate the sums of all the fields. Put the sums in a summary event and add a label called Quarterly Totals.

... | table Product QTR* | addtotals col=t labelfield=Product label="Quarterly Totals" fieldname="Product Totals"


See also



Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the addtotals command.


This documentation applies to the following versions of Splunk Cloud: 6.5.0, 6.5.1, 6.6.0, 6.5.1612, 6.6.1, 6.6.3, 7.0.0


Addtotals did not originally have the column totals functionality. :D

March 17, 2015

Why do we need addcoltotals, if addtotals includes all the functionality?

January 27, 2015

it may be that your results are being truncated to whatever the lowest precision is for your field values.

Sophy, Splunker
April 16, 2012

It seems that addtotals rounds the result.<br />I cannot get anything else than integers.

Ykherian, Splunker
April 10, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters