Usage of Splunk commands : ADDTOTALS

Usage of Splunk commands  : ADDTOTALS

Usage of Splunk commands : ADDTOTALS is as follows

  • Addtotals command computes the arithmetic addition of all numerical fields for each of the search results.
  • The result will be appeared in the statics table.
  • By default the field name will be “Total”.
  • You can specify fields that you want the sum for.

 

Find below the skeleton of the usage of the command “addtotals” in SPLUNK :

addtotals [ fieldname= ] [ <field-list > ]

 

Example 1:

index=_internal
| table date_hour,date_minute,date_second
| dedup date_hour,date_minute,date_second
| head 5
| addtotals

 

Result :

addtotals

Explanation :

In the above query “date_hour” , “date_minute” and “date_second” are the existing field names in the “_internal” index.
“addtotals” commnd computes the arithmetic addition of these three numerical field for each of the search results  and returns the result in the “Total” field as we don’t specify any argument with “addtotals” command.

Ex.- 6 + 40 + 37 = 83 for the first row.

        6 + 40 + 35 = 81 for the second row.

*************************************************************************************

 Example 2:

index=_internal
| table date_hour,date_minute,date_second
| dedup date_hour,date_minute,date_second
| head 5
| addtotals fieldname="GRAND_TOTALS"

Result:

addtotals2

Explanation :

In the above query “date_hour” , “date_minute” and “date_second” are the existing field names in the “_internal” index.
“addtotals” commnd computes the arithmetic addition of these three numerical field for each of the search results  and returns the result in the “GRAND_TOTALS” field as we  have specified an argument  fieldname with “addtotals” command.
The argument fieldname is used for the field where the result of the “addtotals” command will be assigned.

Ex.- 6 + 47 + 8 = 61 for the first row.

        6 + 47 + 6 = 59 for the second row.

*************************************************************************************

Example 3:

index=_internal
| table date_hour,date_minute,date_second
| dedup date_hour,date_minute,date_second
| head 5
| addtotals date_hour,date_second
Result :

 addtotals3

Explanation:

In the above query “date_hour” , “date_minute” and “date_second” are the existing field names in the “_internal” index.
“addtotals” commnd computes the arithmetic addition of the specified fields ( “date_hour” and “date_second” ) and returns the result in the “Total” field.
Ex.- 6 +  27 = 33 for the first row.

        6 +  26 = 32  for the second row.

 

 

 Now you can effectively utilize “addtotals”  command in  your daily use to meet your requirement !!

 Hope you are now comfortable in : Usage of Splunk commands  : ADDTOTALS

 

HAPPY SPLUNKING !!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.