Refine your search:


I am trying to create a total of values in different fields and add it to the output as a different field. I am able to get the value of different fields but got stuck on how to add them.

sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId   |stats count by record.priority|

This is the command which I used to get the data. The data now is

record.priority     count
1                        6
2                    7568
3                    6346
4                    68

Now I wanted to add another field with a total of all the count values in the same chart.

Anyone has an idea on how to do that? Is there any other method where I can first get the whole total of the count in a bar chart for a 31 day period and then probably draw the graph with different priority fields which gives the information about each priority with a count of incidents created per day?



asked 15 Oct '12, 07:51

theouhuios's gravatar image

accept rate: 40%

2 Answers:

Used the addtotals <fields> command to get a total value. Then used fields to remove the redundant fields which weren't needed.

Thanks for all your help.


answered 15 Oct '12, 12:04

theouhuios's gravatar image

accept rate: 40%

You should probably look at the addcoltotals command;

your_search_here | addcoltotals labelfield=record.priority label="Total count"

See the docs here:

For the second part of your query, I don't really understand how you want the output, but try;

sourcetype="xxxx" earliest=-31d@d latest=@d| dedup record.incidentId  | timechart span=1d count by record.priority

You can paste the search (or write a new one from scratch) into the Advanced Charting view (under the "Dashboards & Views" menu), and play around with the visualization options.

Hope this helps,



answered 15 Oct '12, 08:22

kristian.kolb's gravatar image

kristian.kolb ♦
accept rate: 36%

that or eventstats

(15 Oct '12, 08:28) gkanapathy ♦

true, addcoltotals does not create a new field per se, but I gathered that the real request was more for presentation purposes.

(15 Oct '12, 08:33) kristian.kolb ♦

Hmm.. The timechart is the way which i am doing as of now. But I am trying to see if I can actually use multiple visualizations on a single dashboard. Like a bar chart mentioning the total count of incidents and then a line chart upon the bar chart which graphs according to number of incidents and the priority of the incident.

(15 Oct '12, 08:51) theouhuios
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 15 Oct '12, 07:51

Seen: 1,957 times

Last updated: 15 Oct '12, 12:04

Copyright © 2005-2014 Splunk Inc. All rights reserved.