Usage of Splunk commands : ADDCOLTOTALS is as follows :
Computes and appends a new result with fields that represent the sum of all values of numeric fields in the input
Find below the skeleton of the usage of the command "addcoltotals" in SPLUNK :
addcoltotals [labelfield=<field>] [ label=<String>] [<fieldlist>]
Example -1 :
index=_internal
| head 3
| table date_year,date_second
| addcoltotals
Result :
| date_year | date_second |
|---|---|
| 2015 | 49 |
| 2015 | 49 |
| 2015 | 48 |
| 6045 | 146 |
Explanation :
6045 is the addition of the column "date_year" and
146 is the addition of the column "date_second".
We have not specified any <fieldname> after
"addcoltotals", that's why it is summing up all
fields value and showing in the result set.
*************************************************
Example -2 :
| head 3
| table date_year,date_second
| addcoltotals date_second
| date_year | date_second |
|---|---|
| 2015 | 49 |
| 2015 | 49 |
| 2015 | 48 |
| 146 |
Explanation :
Now,we have specified the specific <fieldname>
on which "addcoltotals" should show its magic.
146 is the totals of "date_second" column and
there is no total count for "date_year" column.
*************************************************
Example -3 :
index=_internal
| head 3
| table date_year,date_second
| addcoltotals date_second labelfield="NEW_FIELD"
Result :
| date_year | date_second | NEW_FIELD |
|---|---|---|
| 2015 | 51 | |
| 2015 | 51 | |
| 2015 | 51 | |
| 153 | Total |
Explanation :
In this case we have used "labelfield" option.
It will add a new column called "NEW_FIELD" and
it will show the "Total" String by default
at the bottom where you have the total value
calculated for the "date_second" field.
Note : If instead of by default value "Total" , we want to put
our own string "SUM" , then you have to do the following:
...|addcoltotals date_second labelfield="NEW_FIELD" label="SUM"
*************************************************
Example -4 :
index=_internal
| head 3
| table date_year,date_second
| addcoltotals date_second labelfield="date_year" label="SUM"
Result :
Explanation :
In this case we have put the "SUM" String in the
existing column "date_year" to make the report
look beautiful and professional
Note : 'label' has no effect if 'labelfield' is not defined
Example -4 :
index=_internal
| head 3
| table date_year,date_second
| addcoltotals date_second labelfield="date_year" label="SUM"
Result :
| date_year | date_second |
|---|---|
| 2015 | 58 |
| 2015 | 58 |
| 2015 | 58 |
| SUM | 174 |
Explanation :
In this case we have put the "SUM" String in the
existing column "date_year" to make the report
look beautiful and professional
Note : 'label' has no effect if 'labelfield' is not defined
Now you can effectively utilize "addcoltotals"command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : ADDCOLTOTALS
HAPPY SPLUNKING !!
No comments:
Post a Comment