I need to addtotals to exclude one of the columns created as a result of chart command.
P.S: I need exclusion, not inclusion.
addtotals | eval Total=(Total - ExcludedField)
|addtotals label=total labelfiled=field which you want to remove
If the name of fields that you want to include is finite and is known, use @adonio's answer. If they are dynamic but you know which one to exclude, try this workaround,
Updated
your current search | rename field_to_exclude as dont_field_to_exclude * as include_* | addcoltotals include_* | rename dont_field_to_exclude as field_to_exclude include_* as *
@somesoni2 - Shouldn't your first rename be...
| rename * as include_*, field_to_exclude as dont_field_to_exclude
Yes, I tried to copy it to next rename and did cut instead. Thanks for pointing that out.
hello pkaarana,
you can use addcoltotals with fields and specify only the fields that you want. example here:
index = _internal | stats sum(bytes) as totalBytes avg(bytes) as avgBytes by host | addcoltotals totalBytes
This isn't an answer but the question was about addtotals not addcoltotals. If, for instance, I want to exclude the first column of a chart from a row total, how is that done?