How do I get addtotals to exclude one of the colum...

pkaarana · ‎04-20-2017

I need to addtotals to exclude one of the columns created as a result of chart command.
P.S: I need exclusion, not inclusion.

amckinnie_splun · ‎07-10-2019

addtotals | eval Total=(Total - ExcludedField)

ManiKandanS · ‎11-24-2017

|addtotals label=total labelfiled=field which you want to remove

somesoni2 · ‎04-20-2017

If the name of fields that you want to include is finite and is known, use @adonio's answer. If they are dynamic but you know which one to exclude, try this workaround,
Updated

your current search | rename field_to_exclude as dont_field_to_exclude  * as include_* | addcoltotals include_* | rename dont_field_to_exclude as field_to_exclude   include_* as *

DalJeanis · ‎04-20-2017

@somesoni2 - Shouldn't your first rename be...

| rename * as include_*, field_to_exclude as dont_field_to_exclude

somesoni2 · ‎04-20-2017

Yes, I tried to copy it to next rename and did cut instead. Thanks for pointing that out.

adonio · ‎04-20-2017

hello pkaarana,
you can use addcoltotals with fields and specify only the fields that you want. example here:
index = _internal | stats sum(bytes) as totalBytes avg(bytes) as avgBytes by host | addcoltotals totalBytes

aai · ‎04-12-2019

This isn't an answer but the question was about addtotals not addcoltotals. If, for instance, I want to exclude the first column of a chart from a row total, how is that done?

How do I get addtotals to exclude one of the column?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk