Solved: Show subtotals in results table

MatMeredith · ‎04-22-2013

I have a search returning results in a table with columns for:
date, username, eventcount

I'd like to display subtotals in the table something like this.

Monday, Fred, 7
Monday, Joe, 15
Totals for Monday 22
Tuesday, Fred 10
Totals for Tuesday 10
etc

Is it possible?

kristian_kolb · ‎04-22-2013

Appendpipe might hold the answers for you;

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendpipe

your base search | stats count by date username | appendpipe [stats sum(count) as count by date | eval username = "Total"]

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-22-2013

Appendpipe might hold the answers for you;

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendpipe

your base search | stats count by date username | appendpipe [stats sum(count) as count by date | eval username = "Total"]

Hope this helps,

Kristian

kristian_kolb · ‎04-22-2013

eval username = "Totals for " ?

MatMeredith · ‎04-22-2013

Thanks -- that looks like it'll do the job. Now I just need to figure whether I can get those total rows formatted differently (like shown in bold)...

Show subtotals in results table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms