Hi,
I need a table that looks like this.
The query I am using is:
app=PROD* | timechart span=1d count by app | addcolstotal
I am unable to get the table to display Total highlighted in red. How should I modify the above query?
Thanks,
Deepak
Just add this to your addcoltotal command
... | addcoltotals labelfield=_time label="Total"
Actually the parameter label is only required if you want to use a string other than "Total" (Total is default label)
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Addcoltotals
just a doc on addcoltotals