addtotals command computes the arithmetic sum of all numeric fields for each search result. The results appear in the Statistics tab in the Search & Reporting App.
You can specify a list of fields that you want the sum for, instead of calculating every numeric field. The sum is placed in a new field.
addtotals command computes the column totals, which adds a new result at the end that represents the sum of each field.
labelfield, if specified, is a field that will be added to this summary event with the value set by the 'label' option. Alternately, instead of using the
addtotals col=true command, you can use the addcoltotals command to calculate a summary event.
addtotals [row=<bool>] [col=<bool>] [labelfield=<field>] [label=<string>] [fieldname=<field>] [<field-list>]
- Syntax: <field> ...
- Description: One or more numeric fields, delimited with a space. Only the fields specified in the <field-list> are summed. If a <field-list> is not specified, all numeric fields are included in the sum.
- Usage: You can use wildcards in the field names. For example, if the field names are
count3you can specify
count*to indicate all fields that begin with 'count'.
- Default: All numeric fields are included in the sum.
- Syntax: row=<bool>
- Description: Specifies whether to calculate the sum of the <field-list> for each event. This is similar to calculating a total for each row in a table. The sum is placed in a new field. The default name of the field is
Total. If you want to specify a different name for the field, use the
- Usage: Because the default is
row=true, specify the
rowargument only when you do not want the event totals to appear
- Default: true
- Syntax: col=<bool>
- Description: Specifies whether to add a new event, referred to as a summary event, at the bottom of the list of events. The summary event displays the sum of each field in the events, similar to calculating column totals in a table.
- Default: false
- Syntax: fieldname=<field>
- Description: Used to specify the name of the field that contains the calculated sum of the field-list for each event. The
fieldnameargument is valid only when
- Default: Total
- Syntax: labelfield=<field>
- Description: Used to specify a field for the summary event label. The
labelfieldargument is valid only when
- * To use an existing field in your result set, specify the field name for the
labelfieldargument. For example if the field name is
- * If there is no field in your result set that matches the
lablefield, a new field is added using the
- Default: none
- Syntax: label=<string>
- Description: Used to specify a row label for the summary event.
- * If the
labelfieldargument is an existing field in your result set, the
labelvalue appears in that row in the display.
- * If the
labelfieldargument creates a new field, the
labelappears in the new field in the summary event row.
- Default: Total
1: Calculate the sum of the numeric fields of each event
... | addtotals
A new column is added to the results, using the default fieldname
2. Specify a name for the field that contains the sums for each event
... | addtotals fieldname=sum
3. Use wildcards to specify the names of the fields to sum
Calculate the sums for the fields that begin with
amount or that contain the text
size in the field name. Save the sums in the field called
... | addtotals fieldname=TotalAmount amount* *size*
4. Calculate the sum for a specific field
In this example, the row calculations are turned off. The total for only a single field is calculated.
....| table Product QTR1 |addtotals row=f col=t labelfield=Product QTR1
5. Calculate the sums of all the fields and add a label to the summary event
Calculate the sums of all the fields. Put the sums in a summary event and add a label called
... | table Product QTR* | addtotals col=t labelfield=Product label="Quarterly Totals" fieldname="Product Totals"
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the addtotals command.
This documentation applies to the following versions of Splunk Cloud™: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3