Splunk Search

column totals

a212830
Champion

Hi,

I want to add some totals for a search. The search is below, and it works fine. How would I then add:

totals for all hosts
subtotal by index and sourcetype

index=ngcc* |fields host, index, sourcetype |dedup host, index, sourcetype |table host, index, sourcetype |sort host

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=ngcc* |fields host, index, sourcetype |dedup host, index, sourcetype |table host, index, sourcetype |sort host | eventstats count as GrandTotal | eventstats count as SubTotal by index, sourcetype

OR simply

index=ngcc*  |stats count by host, index, sourcetype  | fields - count | stats count as SubTotal by index, sourcetype | eventstats sum(SubTotal) as AllHostTotal
0 Karma

lpolo
Motivator

I am not sure what you need to but try this query. It might help you to get what you need:

  index=ngcc*|fields host, index, sourcetype  |dedup host, index, sourcetype  |table host, index, sourcetype |sort host|streamstats count
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are you looking to count values by some fields? Take a look at the stats command: http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/stats

I'm not quite sure what your desired result looks like, maybe post an example.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...