https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350295#M175204 <P>Just add the following to your existing query</P> <PRE><CODE> &lt;Your exiting Search with chart as base search&gt; | accum LAW as Cumu_LAW | accum BUSINESS as Cumu_BUSINESS | accum EDUCATION as Cumu_EDUCATION </CODE></PRE> <P>Then you need to enable Chart Overlay for all Cumu_* fields and View as Axis should be turned on. You can do the same by editing the Visualization in Splunk Web UI or else through Splunk CHart reference</P> <PRE><CODE>&lt;charting.chart.overlayfields&gt;Cumu_LAW ,Cumu_BUSINESS,Cumu_EDUCATION&lt;/charting.chart.overlayfields&gt; &lt;charting.Y2.enabled&gt;1&lt;/charting.Y2.enabled&gt; &lt;charting.Y2.scale&gt;linear&lt;/charting.Y2.scale&gt; </CODE></PRE> Fri, 10 Mar 2017 13:11:39 GMT niketn 2017-03-10T13:11:39Z https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350294#M175203 <P>I have a dataset like:</P> <P>quarter,faculty, people<BR /> 2016-Q1,LAW,2<BR /> 2016-Q1,BUSINESS,11<BR /> 2016-Q1,EDUCATION,2<BR /> 2016-Q2,BUSINESS,11<BR /> 2016-Q2,BUSINESS,7<BR /> 2017-Q1,LAW,5<BR /> 2017-Q1,LAW,1<BR /> 2017-Q1,EDUCATION,3<BR /> 2017-Q1,EDUCATION,4<BR /> 2017-Q1,EDUCATION,2</P> <P>I'm trying to get the cumulative total by quarter of people per faculty</P> <P>And display this in a chart so that the people count is on the y axis, the quarter is on the x-axis and the graph is stacked by faculty.</P> <P>e.g.</P> <P>I can get the (summed) people count as a chart, by doing this:</P> <P>search | chart sum(people) over quarter by faculty</P> <P>So the data would look like:</P> <P>2016-Q1<BR /> LAW = 2<BR /> BUSINESS = 11<BR /> EDUCATION = 2</P> <P>2016-Q2<BR /> LAW = 0<BR /> BUSINESS = 18<BR /> EDUCATION = 0</P> <P>2017-Q1<BR /> LAW=6<BR /> BUSINESS = 0<BR /> EDUCATION = 9</P> <P>But I want to get the cumulative people count, so that the counts end up more like</P> <P>2016-Q1<BR /> LAW = 2<BR /> BUSINESS = 11<BR /> EDUCATION = 2</P> <P>2016-Q2<BR /> LAW = 2<BR /> BUSINESS = 29<BR /> EDUCATION = 2</P> <P>LAW = 8<BR /> BUSINESS = 29<BR /> EDUCATION = 11</P> <P>I know there is an accum function but I can't get this to play with chart.</P> <P>Any ideas how to do this?</P> Fri, 10 Mar 2017 05:17:02 GMT https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350294#M175203 splunk-support0 2017-03-10T05:17:02Z https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350295#M175204 <P>Just add the following to your existing query</P> <PRE><CODE> &lt;Your exiting Search with chart as base search&gt; | accum LAW as Cumu_LAW | accum BUSINESS as Cumu_BUSINESS | accum EDUCATION as Cumu_EDUCATION </CODE></PRE> <P>Then you need to enable Chart Overlay for all Cumu_* fields and View as Axis should be turned on. You can do the same by editing the Visualization in Splunk Web UI or else through Splunk CHart reference</P> <PRE><CODE>&lt;charting.chart.overlayfields&gt;Cumu_LAW ,Cumu_BUSINESS,Cumu_EDUCATION&lt;/charting.chart.overlayfields&gt; &lt;charting.Y2.enabled&gt;1&lt;/charting.Y2.enabled&gt; &lt;charting.Y2.scale&gt;linear&lt;/charting.Y2.scale&gt; </CODE></PRE> Fri, 10 Mar 2017 13:11:39 GMT https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350295#M175204 niketn 2017-03-10T13:11:39Z https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350296#M175205 <P>Assuming that the faculty name can be dynamic, try something like this. THis will give cumulative sum of all faculty column without specifying a name.</P> <PRE><CODE>your base search | chart sum(people) over quarter by faculty | streamstats sum(*) as * </CODE></PRE> Fri, 10 Mar 2017 15:25:41 GMT https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350296#M175205 somesoni2 2017-03-10T15:25:41Z https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350297#M175206 <P>Thank you. This does exactly what I want.</P> Mon, 13 Mar 2017 02:10:51 GMT https://community.splunk.com/t5/Splunk-Search/Getting-cumulative-total-into-chart/m-p/350297#M175206 splunk-support0 2017-03-13T02:10:51Z