Splunk Search

How can I add a summary row to a table in Simple XML

helge
Builder

How can I add a summary row to a table in Simple XML? By summary row I am referring to what is described here, i.e. a special row appended to the table UI that is not affected by sorting. In the UI this is available in the Format menu of the Statistics tab.

Example from the documentation linked to above:

alt text

1 Solution

niketn
Legend

As of Splunk 6.5 the following Simple XML adds a summary and a percentages row:

<option name="percentagesRow">true</option>
<option name="totalsRow">true</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@eggieboylaqui for Table Summary Row, the Label Total can be added using JavaScript with Splunk JS Stack and jQuery Selector, similar to my answer https://answers.splunk.com/answers/593405/drill-down-for-cell.html

Other option for you would be to use addcoltotals or addtoals command with label and labelfield arguments to show Total Label.

alt text

Following is a run anywhere dashboard example with both approach:

<dashboard script="table_summary_row_label.js">
  <label>Summary Total Row with Label</label>
  <row>
    <panel>
      <title>Option 1: Summary Row</title>
      <table id="tableWithTotalRow">
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| chart count by log_level component limit=5 useother=f</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">true</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Option 2: Add Total</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level=*
| chart count by log_level component limit=5 useother=f
| addcoltotals labelfield="log_level" label="Total"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Following is the required JavaScript code table_summary_row_label.js, which would need to be placed under appserver/static folder (typically $SPLUNK_HOME/etc/apps/appserver/<yourAppName>/appserver/static).
PS: If the folder does not exist it would need to be created. Also, since this option requires JavaScript static file, it might require Splunk restart and clearing of internet browser history.

require([
    'underscore',
    'jquery',
    'splunkjs/mvc',
    'splunkjs/mvc/tableview',
    'splunkjs/mvc/simplexml/ready!'
], function(_, $, mvc, TableView) {
    mvc.Components.get("tableWithTotalRow").getVisualization(function(tableView) {
        tableView.on('rendered', function() {
            setTimeout(function(){
                $("div#tableWithTotalRow table tbody tr.shared-resultstable-resultstablesummaryrow td.null").html("Total");
            },100);
        });
    });
});
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

shariinPH
Contributor

This has been a big help.

however the summary row total is not included on the extract table when clicking download/export button on the table. Does anyone know how to solve this?Sample_SummaryTotalRow_Table.pngSample_SummaryTotalRow_Extracted.png

0 Karma

niketn
Legend

@shariinPH use Option 2 with addtotals command which should work for you!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jakubvojacek
Loves-to-Learn

Hello @niketn 

is there a possibility to add a total column but not using addtotals command
As I would like to use Data overlay: heatMap
And with addtotals it is not very usable (Total column is most red)
Or I am not understanding heatmap overlay correctly

0 Karma

eggieboylaqui
Engager

Thanks for the help, will try this one.

0 Karma

eggieboylaqui
Engager

How can we add label Total on that row? Thank you.

0 Karma

woodcock
Esteemed Legend

I didn't even know that such a thing was there; I will definitely be using that!

0 Karma

niketn
Legend

@woodcock @helge... I generally use the Splunk Overview App launched with latest release of Splunk to pick up what's new in it for us.

Splunk Enterprise 6.5 Overview App link: https://splunkbase.splunk.com/app/3287/

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

As of Splunk 6.5 the following Simple XML adds a summary and a percentages row:

<option name="percentagesRow">true</option>
<option name="totalsRow">true</option>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

eggieboylaqui
Engager

How can we add label Total on that row? Thank you.

0 Karma

eggieboylaqui
Engager

How can we add label Total on that row? Thank you.

0 Karma

helge
Builder

Awesome, thanks for the quick answer. It seems this really was not documented!

0 Karma

helge
Builder

@niketnilay Why don't you convert your comment into an answer so I can mark it as correct?

0 Karma

niketn
Legend

@helge... Good to know that the answer helped. Do check out Splunk Enterprise 6.5 Overview App on Splunkbase which also has this feature document. This probably also answers your other question for version support.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Thanks for pointing this out! I'll double-check our documentation to make sure these two options are mentioned.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

helge
Builder

Thanks for the quick update to the docs! One thing I would still like to know: what is the first Splunk version to support that?
I am asking because we need to support older versions with our apps.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Version 6.5 was the first version, coinciding with the UI instructions for adding summary rows that appeared in our 6.5 docs. Thanks for asking.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...