I feel like this is something I should know already, but I can't find it anywhere.
If I have a query that calculates an amount of bandwidth, and a total cost per datacenter, say:
MySearch Host=MyHost | eval MBPS=....
| eval Cost=MBPS * 22
| stats sum(Cost) as "Cost ($)" by datacenter
That will show the cost of running host MyHost for each datacenter. How do I have stats generate a totals line, that will show the total cost overall, without appending an identical search?
Take a look at the addtotals
command.
MySearch Host=MyHost | eval MBPS=....
| eval Cost=MBPS * 22
| stats sum(Cost) as "Cost ($)" by datacenter
| addtotals
It will create a new row with the value of Host set to "Total", and the value of "Cost ($)" set to the appropriate total.
Take a look at the addtotals
command.
MySearch Host=MyHost | eval MBPS=....
| eval Cost=MBPS * 22
| stats sum(Cost) as "Cost ($)" by datacenter
| addtotals
It will create a new row with the value of Host set to "Total", and the value of "Cost ($)" set to the appropriate total.
Ah ha! That sorted it (though in this case, it was addcoltotals instead of addtotals).
Thank you, sir!