Adding a subtotal to your report

If you’ve taken Splunk training, you should already be familiar with the appendpipe command (it’s used in one of the labs). For those who haven’t, the appendpipe command is an easy way to add a subtotal to your stats command. In my use case, I wanted to get a subtotal of the data indexed by day, but I still wanted a break down by index and pool for the report:

index=_internal source=*license_usage.log type="Usage" | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, idx | eval GB=b/1024/1024/1024 | appendpipe [stats sum(GB) as GB by _time| eval b="Daily Total"] | sort + _time

Splunk report appendpipe example

Karandeep Bains

