Splunk Search

How do I get addtotals to exclude one of the column?

pkaarana
New Member

I need to addtotals to exclude one of the columns created as a result of chart command.
P.S: I need exclusion, not inclusion.

Tags (1)
0 Karma

amckinnie_splun
Splunk Employee
Splunk Employee

addtotals | eval Total=(Total - ExcludedField)

0 Karma

ManiKandanS
New Member

|addtotals label=total labelfiled=field which you want to remove

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If the name of fields that you want to include is finite and is known, use @adonio's answer. If they are dynamic but you know which one to exclude, try this workaround,
Updated

your current search | rename field_to_exclude as dont_field_to_exclude  * as include_* | addcoltotals include_* | rename dont_field_to_exclude as field_to_exclude   include_* as *
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@somesoni2 - Shouldn't your first rename be...

| rename * as include_*, field_to_exclude as dont_field_to_exclude

somesoni2
SplunkTrust
SplunkTrust

Yes, I tried to copy it to next rename and did cut instead. Thanks for pointing that out.

adonio
Ultra Champion

hello pkaarana,
you can use addcoltotals with fields and specify only the fields that you want. example here:
index = _internal | stats sum(bytes) as totalBytes avg(bytes) as avgBytes by host | addcoltotals totalBytes

aai
New Member

This isn't an answer but the question was about addtotals not addcoltotals. If, for instance, I want to exclude the first column of a chart from a row total, how is that done?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...