Splunk® Enterprise

Search Reference

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

addcoltotals

Description

The addcoltotals command appends a new result to the end of the search result set. The result contains the sum of each numeric field or you can specify which fields to summarize. Results are displayed on the Statistics tab. If the labelfield argument is specified, a column is added to the statistical results table with the name specified.

Syntax

addcoltotals [labelfield=<field>] [label=<string>] [<wc-field-list>]

Optional arguments

<wc-field-list>
Syntax: <field> ...
Description: A space delimited list of valid field names. The addcoltotals command calculates the sum only for the fields in the list you specify. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. For example, if you want to specify all fields that start with "value", you can use a wildcard such as value*.
Default: Calculates the sum for all of the fields.
labelfield
Syntax: labelfield=<fieldname>
Description: Specify a field name to add to the result set.
Default: none
label
Syntax: label=<string>
Description: Used with the labelfield argument to add a label in the summary event. If the labelfield argument is absent, the label argument has no effect.
Default: Total

Basic examples

1. Compute the sums of all the fields

Compute the sums of all the fields, and put the sums in a summary event called "change_name".

... | addcoltotals labelfield=change_name label=ALL

2. Add a column total for two specific fields

Add a column total for two specific fields in a table.

sourcetype=access_* | table userId bytes avgTime duration | addcoltotals bytes duration

3. Create the totals for a field that match a field name pattern

Filter fields for two name-patterns, and get totals for one of them.

... | fields user*, *size | addcoltotals *size

4. Specify a field name for the column totals

Augment a chart with a total of the values present.

index=_internal source="metrics.log" group=pipeline | stats avg(cpu_seconds) by processor | addcoltotals labelfield=processor

Extended example

1. Generate a total for a column

This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search.

The following search looks for events from web access log files that were successful views of strategy games. A count of the events by each product ID is returned.

sourcetype=access_* status=200 categoryId=STRATEGY | chart count AS views by productId

The results appear on the Statistics tab and look something like this:

productId views
DB-SG-G01 1796
DC-SG-G02 1642
FS-SG-G03 1482
PZ-SG-G05 1300

You can use the addcoltotals command to generate a total of the views and display the total at the bottom of the column.

sourcetype=access_* status=200 categoryId=STRATEGY | chart count AS views by productId | addcoltotals

The results appear on the Statistics tab and look something like this:

productId views
DB-SG-G01 1796
DC-SG-G02 1642
FS-SG-G03 1482
PZ-SG-G05 1300
6220

You can use add a field to the results that labels the total.

sourcetype=access_* status=200 categoryId=STRATEGY | chart count AS views by productId | addcoltotals labelfield="Total views"

The results appear on the Statistics tab and look something like this:

productId views Total views
DB-SG-G01 1796
DC-SG-G02 1642
FS-SG-G03 1482
PZ-SG-G05 1300
6220 Total

See also

Commands
addtotals
stats
Last modified on 22 January, 2021
accum   addinfo

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters