Splunk - Displaying addcoltotals into its own column
I have a report where I am working with event logs. I have created a table with fields that are extracted from the event logs.
This is my splunk query:
| stats count as Total_by_Requester values(*) as * by Requester_Id
| table Type_of_Call LOB DateTime_Stamp Policy_Number Requester_Id Last_Name State City Zip Total_by_Requester
| addcoltotals labelfield=Type_of_Call label="Grand Total" Total_by_Requester
Here I am taking the count of Requester_Id and then displaying it in Total_by_Requester field/column in the table and then doing the addcoltotals command to the get the total of Tota_by_Requester field
The issue that this query has is that it is displaying the Grand Total right underneath the Type_of_Call column, I want to display the Grand Total in its own column after the Total_by_Requester column
Picture of the issue 
I have tried doing this query which brings the Grand Total to it's own column and has the right value but gets rid of all the other columns:
| stats count as Total_by_Requester values(*) as * by Requester_Id
| stats sum(Total_by_Requester) as Grand_Total
| table Type_of_Call LOB DateTime_Stamp Policy_Number Requester_Id Last_Name State City Zip Total_by_Requester Grand_Total
Issue in picture:
The labelfield option to addcoltotals tells the command where to put the added label. If the specified field name already exists then the label will go in that field, but if the value of the labelfield option is new then a new column will be created.
However, to create an entirely separate Grand_Total field, use the appendpipe command. The command applies a set of commands to the existing result set without triggering a new search.
| table Type_of_Call LOB DateTime_Stamp Policy_Number Requester_Id Last_Name State City Zip count
| appendpipe
[ stats sum(count) as Grand_Total ]
- How to determine the length of an array field in Splunk?
- Splunk query to find those final results that has events with unique combination of values of two keys in results of main search criteria
- login-info.cfg Splunk file semantic and structure
- Splunk SignalFX Synthetics: Is it possible to retrieve environment variable values in Javascript
- query splunk query joining 2 data tables
- Form a results table view from splunk multiple logs
- Exclude unnecessary logs being sent to splunk cloud platform
- How to Attach Splunk Search Results In JIra Via Terraform Automation?
- Regex Substitue only on a specific group - sedcmd (Splunk)
- Regex to only return matches when followed by a specific word
- embeding conf files into helm chart
- Splunk Logs for Faster Queries, with Category Boolean true
- How to create a timechart in splunk for the timestamp and extracted field?
- Match regex named group up until optional word
- How can I access the TraceId generated by splunk-otel-collector within an ASP.NET web application?
- Splunk result in Table format
- Splunk: How to compute the difference of timestamps by id?
- SPLUNK: How can I count events by location with a list of SERVERNAME's?
- How to represent difference between same fields from two different and simultaneous searches in a table format in Splunk?
- Java 11 HttpClient - POST issue
- Flume sink to Splunk?
- Questions related to splunk builtin macros in correlation search
- how to send the local file using splunk forwarder docker image?
- A table of counts of http status by URL
- How do I use a specific date/time in Splunk dashboard with earliest and latest?
- Splunk - Handling a blank token for a dashboard search
- Splunk - Extracting from search results using regex and aggregates
- Splunk - Grouping by distinct field with stats of another field
- Trying to log to Splunk using logback appender
- How can I download infinite results from a Splunk Search to Export the Data