Skip to main content
Sumo Logic

total

The total operator inserts the sum of a set of fields into every row of the set. Unlike the sum operator, which produces an aggregate value, the total operator inserts the total value as a new column, enabling expressions that compare an individual value to the total.

Syntax:

  • total field
    The above creates a new field (named _total by default) containing the sum of the specified field.
  • total field [as alias] [by field1, field2, ...]
    The above creates a new field containing the sum of the specified field for groups of the set of fields specified in the by clause. A given row's total is the sum of the specified field for all rows with matching values in the by clause fields.

Rules:

  • An alias for total is optional. If no alias is given, _total is used by default.
  • Rows in which the specified field contains non-numeric values will be skipped.

Examples

Calculate the total.

In this example, you can find the total data (bytes) transmitted for a time range. Running a query such as:

* | parse "bytes:*," as data 
| total data as t_data

produces results similar to:

Note that the t_data value—199,765—is the sum of the data field in all rows, many of which are not visible here. This query produces only three results, illustrating that _total is simply the sum of ps:

* | parse "BytesTotalPersec = \"*\"" as ps 
| where ps > 3000 
| total ps

Calculate totals by message time.

To group rows by their message time and calculate different totals for each time, use the _messagetime field:

* | limit 10
| 1 as data
| total data by _messagetime

This query looks at the first 10 rows and creates a field called data in each. Rather than simply totalling data—which would be 10—this query groups the rows by their message time and provides the total for each group.

Calculate the running total of requests.

Say you'd like to find the running total of requests from certain users. Running a query similar to:

_sourceCategory=IIS (Wyatt OR Luke)
| parse using public/iis
| timeslice by 1m
| count as requests by _timeslice,cs_username
| sort by _timeslice asc, cs_username
|total requests as running_total by cs_username

produces results similar to: