Usage of Splunk commands : ADDCOLTOTALS


  Usage of Splunk commands : ADDCOLTOTALS is as follows :

 Computes and appends a new result with fields that represent the sum of

  all values of numeric fields in the input 


 Find below the skeleton of the usage of the command “addcoltotals” in SPLUNK : 

addcoltotals [labelfield=] [ label=]  []

Example -1 :
 
index=_internal
| head 3
| table date_year,date_second
| addcoltotals
 
Result :
 
date_year date_second
2015 49
2015 49
2015 48
6045 146
 
 
Explanation :
 
            6045 is the addition of the column
            “date_year” and 146 is the addition
             of the column “date_second”.
 
            We have not specified any <fieldname>
            after addcoltotals“, that’s why it is
            summing up all fields value and showing
            in the result set.
 
 
        **********************************
 
 
Example -2 :
index=_internal
| head 3
| table date_year,date_second
| addcoltotals date_second
 

Result :

date_year date_second
2015 49
2015 49
2015 48
146



Explanation :

            Now,we have specified the specific <fieldname>
            on which “addcoltotals” should show its magic.
            146 is the totals of “date_second” column and
            there is no total count for “date_year” column.



     *************************************************


Example -3 :


index=_internal
| head 3
| table date_year,date_second
| addcoltotals date_second labelfield="NEW_FIELD"

Result :

date_year date_second NEW_FIELD
2015 51
2015 51
2015 51
153 Total



Explanation :

            In this case we have used “labelfield” option.
            It will add a new column called “NEW_FIELD” and
            it will show the “Total” String by default
            at the bottom where you have the total value 
            calculated for the “date_second” field.


Note : If instead of by default value “Total” , we want to
our own string “SUM” , then you have to do the following:


…|addcoltotals date_second labelfield=”NEW_FIELD” label=”SUM”

 

*************************************************

Example -4 :

index=_internal
| head 3
| table date_year,date_second
| addcoltotals date_second labelfield="date_year" label="SUM"      

Result :

date_year date_second
2015 58
2015 58
2015 58
SUM 174


Explanation :

            In this case we have put the “SUM” String in
            the existing column “date_year” to make the
            report look beautiful and professional


Note : label‘ has no effect if ‘labelfield‘ is not defined

 
Now you can effectively utilize “addcoltotals”command in your daily use to meet your
requirement !!
 
Hope you are now comfortable in : Usage of Splunk commands : ADDCOLTOTALS
HAPPY SPLUNKING !!

 

Advertisements

2 comments

  1. interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts,Thanks a million once again, Regards

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.