Here is my search
index="aries" splunk tt=HL7* |
chart count by si , tt |
addtotals |
addcoltotals|
rename si as GenKey |
rename count as Count
My GenKey/si is is an identifying number. I do not want to add the identifier into my totals, nor do I want a column total of the identifer. How do I ignore the identifier and just add the pertinent data from the table?
|addtotals label=total labelfiled=field which you want to remove
I prefer eval to addtotals
eval total=field1 + field2 + field3
Instead of addcoltotals, use the addtotals command with the col option
addtotals col=true field1 field2 field3
BUT, you may have a more fundamental problem. After the second line of your command, you have only 3 fields available in the pipeline: count, si, tt. If that's what you want, then okay. The chart command is also making things weird, so I used the stats command instead
index="aries" splunk tt=HL7* |
stats count by si , tt |
eval total = count + tt|
addcoltotals col=t total count tt|
rename si as GenKey |
rename count as Count