https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60349#M180131 <P>I think I follow the logic here, will have to experiment. I ran into a 10000 row limit on this one though. I did find a "hack" that <EM>seems</EM> to do it:</P> <P>...| bin _time span=6h as hour | stats values(flowers) as cflowers dc(flowers) as "Flowers per hour" by hour | streamstats dc(cflowers) as "Cumulative total" | eval Time=strftime(hour, "%m-%d.%H") | table Time, "Flowers per hour", "Cumulative total"</P> Sun, 29 Jan 2012 19:26:43 GMT howyagoin 2012-01-29T19:26:43Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60340#M180122 <P>I've got a variable, call it "flowers," related to orders from a shop. I'm trying to get a chart of the number of unique flower types purchased over a time range, as well as the cumulative total.</P> <P>I've found another answer here which gave the hint of:</P> <P>searchterm | stats values(flowers) as fcount dc(flowers) by date_minute | streamstats dc(fcount) as "Cumulative total"</P> <P>And whilst that works, it breaks down the number of unique flowers per a given minute, across the date range -- all fine if that range is within a given hour, but, otherwise it's not quite the right way to break this down.</P> <P>What I'm after though is a way to look at 36 hours worth of flower sales, and for each hour, or minute, see the number of unique flower types sold, but also have the cumulative total.</P> <P>As I interpret the above example, it's recycling "minutes" (or hours if I use date_hour) so that the 12th minute across two days is only represented by a single value..</P> <P>Missing something obvious here.....</P> Sat, 28 Jan 2012 07:01:12 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60340#M180122 howyagoin 2012-01-28T07:01:12Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60341#M180123 <P>I think you may want this :</P> <PRE><CODE>... earliest=-36h | timechart span=1h dc(flower) AS "# of flower types purchased" | streamstats sum("# of flower types purchased") AS total </CODE></PRE> <P>I'm not sure how relevant the cumulative total will be though, as it is only representative of the sum of distinct counts over time, which obviously will have duplicate flower types.</P> <P>You might find the results of this search more interesting as they will expose similar information :</P> <PRE><CODE>... earliest=-36h | timechart span=1h count by flower | addtotals | appendcols [search ... | timechart span=1h dc(flower) AS "# of flower types purchased"] </CODE></PRE> <P>This will provide the number of purchases per flower type, the total number of purchases, and the distinct count of flower types purchased for every hour.</P> <P>For more detais and examples, check the Search Reference manual records for <A href="http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Timechart">timechart</A>, <A href="http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Appendcols">appendcols</A> and <A href="http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Addtotals">addtotals</A>.</P> Sat, 28 Jan 2012 16:59:11 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60341#M180123 hexx 2012-01-28T16:59:11Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60342#M180124 <P>Both of these are interesting, thanks, gives me something to play with. What I was hoping to accomplish though was to have a graph of time on the X axis, number of flowers on the Y, with one line representing the number of unique flowers per that increment of time (hour/minute, whatever) -- but a second line representing the cumulative total over all time, rather than just for that unit of time.</P> <P>So the second line would never, in theory, go down; if there were 2 unique flowers at noon on Monday, and 4 at 1300, and a total of 5 unique between those times, the second line should be at "5" on Y</P> Sun, 29 Jan 2012 02:23:51 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60342#M180124 howyagoin 2012-01-29T02:23:51Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60343#M180125 <P>I see. How about :<BR /><BR /> <CODE>... earliest=-36h | timechart span=1h count, dc(flower) AS "Distinct count of flower types purchased" | streamstats sum(count) AS "Total flowers purchased" | fields - count</CODE></P> Sun, 29 Jan 2012 02:36:03 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60343#M180125 hexx 2012-01-29T02:36:03Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60344#M180126 <P>This is a bit tricky, but possible. See my answer.</P> Sun, 29 Jan 2012 17:35:41 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60344#M180126 gkanapathy 2012-01-29T17:35:41Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60345#M180127 <P>hmm. maybe not. <CODE>streamstats</CODE> doesn't work with <CODE>sistats</CODE> as I had hoped.</P> Sun, 29 Jan 2012 17:40:56 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60345#M180127 gkanapathy 2012-01-29T17:40:56Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60346#M180128 <PRE><CODE>... | sort _time | streamstats global=f window=0 current=t values(flowers) as v_flowers | eval v_flowers=mvjoin(v_flowers,";") | timechart span=1h dc(flowers) as cur_dc, last(v_flowers) as cum_dc | eval cum_dc=mvcount(split(cum_dc,";")) </CODE></PRE> <P>The main tricks are (a) you need to sort and get the cumulative count first, and (b) convert the list of items from a multivalue field since it seems that the <CODE>timechart</CODE>'s <CODE>last()</CODE> function doesn't preserve multivalues. </P> Sun, 29 Jan 2012 18:18:43 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60346#M180128 gkanapathy 2012-01-29T18:18:43Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60347#M180129 <P>Try what I came up and posted now.</P> Sun, 29 Jan 2012 18:19:07 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60347#M180129 gkanapathy 2012-01-29T18:19:07Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60348#M180130 <P>@howyagoin : Oh ok, you want a <STRONG>distinct count over the entire period</STRONG>, not an on-going cumulative sum of the item sales for each cycle.</P> Sun, 29 Jan 2012 19:16:26 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60348#M180130 hexx 2012-01-29T19:16:26Z https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60349#M180131 <P>I think I follow the logic here, will have to experiment. I ran into a 10000 row limit on this one though. I did find a "hack" that <EM>seems</EM> to do it:</P> <P>...| bin _time span=6h as hour | stats values(flowers) as cflowers dc(flowers) as "Flowers per hour" by hour | streamstats dc(cflowers) as "Cumulative total" | eval Time=strftime(hour, "%m-%d.%H") | table Time, "Flowers per hour", "Cumulative total"</P> Sun, 29 Jan 2012 19:26:43 GMT https://community.splunk.com/t5/Splunk-Search/Cumulative-sum-of-a-distinct-count-over-time/m-p/60349#M180131 howyagoin 2012-01-29T19:26:43Z