topic accum command examples in Knowledge Management

accum command examples

logloganathan — Tue, 03 Apr 2018 15:39:24 GMT

Could anyone please provide the example to learn the accum command.
i never used this command so i need some example to learn.

Re: accum command examples

kamlesh_vaghela — Tue, 03 Apr 2018 15:47:28 GMT

Hi @logloganathan,

The accum command calculates a running total or sum of the numbers. The accumulated sum can be returned to either the same field, or a newfield that you specify.

See this example:

| gentimes start=1 end=10 | eval sr_no=1 | accum sr_no | table sr_no 

| gentimes start=1 end=10 | eval sr_no=2 | accum sr_no | table sr_no 

| gentimes start=1 end=10 | eval sr_no=3 | accum sr_no as NO  | table sr_no NO

https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Accum

Re: accum command examples

elliotproebstel — Tue, 03 Apr 2018 15:51:25 GMT

The accum command calculates a running total of the values in a specified field. Here's a very short run-anywhere example:

| makeresults 
| eval a=5 
| append 
    [| makeresults 
    | eval a=1 ] 
| append 
    [| makeresults 
    | eval a=7 ] 
| accum a AS b

This will create a table with the _time that the events were generated, the field a (which is assigned the values 5, 1, and 7) and the field b (which contains a running total of the values from field a: 5, 6, 13). If you don't specify the AS clause, the accum command will store the running total in the source field:

| makeresults 
| eval a=5 
| append 
    [| makeresults 
    | eval a=1 ] 
| append 
    [| makeresults 
    | eval a=7 ] 
| accum a

This will just give you a table with the _time field and the field a, which no longer contains the original source values but only the running total of the source values.

Re: accum command examples

niketn — Tue, 03 Apr 2018 15:51:50 GMT

You should read splunk documentation on accum command:

Try the following run anywhere search based on your Splunk's _internal index

index=_internal sourcetype=splunkd log_level!="INFO"
| stats count as Total by component
| accum Total as cumulativeTotal

You can use accum command for generating serial number for number of results displayed in a table

index=_internal sourcetype=splunkd log_level!="INFO"
| stats count as Total by component
| eval sno=1
| accum sno

You can also learn streamstats command which can perform the operation of accum command and much more. Also Similar to how accum command performs cumulative total of specific field in streaming manner, delta command can give you cumulative difference, so read about that as well.

Re: accum command examples

logloganathan — Wed, 04 Apr 2018 04:38:43 GMT

wow...very detailed explanation