https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651987#M225369 <P>The command you are looking for is <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats" target="_blank" rel="noopener">streamstats</A>. &nbsp;If you have a single series, you can do</P><LI-CODE lang="markup">| timechart count | steamstats sum(count) as cumulative</LI-CODE><P>But your OP suggests that you have multiple series. &nbsp;For that, you can do something like</P><LI-CODE lang="markup">index=main sourcetype=cisco:asa host=* message_id=113004 | timechart count BY message_id | streamstats sum(*) as *-cumulative by message_id</LI-CODE><P>This produces two extraneous series "*" and "*-cumulative". &nbsp;I don't know how to remove them. &nbsp;If you have a limited number of message values, you can do</P><LI-CODE lang="markup">index=main sourcetype=cisco:asa host=* message_id=113004 | timechart count BY message_id | streamstats sum(msg_id1) as msg_id1-cumulative sum(msg_id2) as msg_id2 ... by message_id</LI-CODE> Tue, 25 Jul 2023 22:58:47 GMT yuanliu 2023-07-25T22:58:47Z https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651808#M225313 <P>Hello Members,</P> <P>I have seen and used the accum command, but it does not quite give me what I want.</P> <P>I have this search below which gives me a line chart with event count over the time range:</P> <LI-CODE lang="markup">index=main sourcetype=cisco:asa host=* message_id=113004 | eval Date=strftime(_time, "%Y-%m-%d %H:%M:%S") | timechart count BY message_id</LI-CODE> <P>The graph type can be any type. I would like to get an accumulated total for a time period, like 24 hours, OK to count every hour, but show the accumulated count each hour, with the ending total for the time range, i.e. 24hr.</P> <P>Thanks for greate source of help here,</P> <P>eholz1</P> Tue, 25 Jul 2023 16:28:14 GMT https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651808#M225313 eholz1 2023-07-25T16:28:14Z https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651810#M225314 <P>Not sure what the real requirement is. &nbsp;Do you mean a 24-hour chart like this?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="totalby.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26436iA95986C8434B9EE6/image-size/large?v=v2&amp;px=999" role="button" title="totalby.png" alt="totalby.png" /></span></P><P>I.e., a group of varying line charts and a group of horizontal lines representing their period total? &nbsp;For this, you can do something like</P><LI-CODE lang="markup">index=main sourcetype=cisco:asa host=* message_id=113004 | timechart count BY message_id | eventstats sum(*) as *-Total</LI-CODE><P> </P> Mon, 24 Jul 2023 23:28:21 GMT https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651810#M225314 yuanliu 2023-07-24T23:28:21Z https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651937#M225350 <P>Thank you very much for the reply. I will try the search you suggest. Here is a screen shot of one result, which shows the number of events over time. But, starting from left of chart, instead of seeing values like: 7, 12,13,12,9 - I would like to see 7,19,32,41, etc.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="eholz1_0-1690299447166.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/26450iFB24945DD98C4DC7/image-size/medium?v=v2&amp;px=400" role="button" title="eholz1_0-1690299447166.png" alt="eholz1_0-1690299447166.png" /></span></P><P>Thanks Again, will check your suggestion, and get back</P> Tue, 25 Jul 2023 15:38:16 GMT https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651937#M225350 eholz1 2023-07-25T15:38:16Z https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651987#M225369 <P>The command you are looking for is <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Streamstats" target="_blank" rel="noopener">streamstats</A>. &nbsp;If you have a single series, you can do</P><LI-CODE lang="markup">| timechart count | steamstats sum(count) as cumulative</LI-CODE><P>But your OP suggests that you have multiple series. &nbsp;For that, you can do something like</P><LI-CODE lang="markup">index=main sourcetype=cisco:asa host=* message_id=113004 | timechart count BY message_id | streamstats sum(*) as *-cumulative by message_id</LI-CODE><P>This produces two extraneous series "*" and "*-cumulative". &nbsp;I don't know how to remove them. &nbsp;If you have a limited number of message values, you can do</P><LI-CODE lang="markup">index=main sourcetype=cisco:asa host=* message_id=113004 | timechart count BY message_id | streamstats sum(msg_id1) as msg_id1-cumulative sum(msg_id2) as msg_id2 ... by message_id</LI-CODE> Tue, 25 Jul 2023 22:58:47 GMT https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/651987#M225369 yuanliu 2023-07-25T22:58:47Z https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/652404#M225493 <P>Hello, and Thank you</P><P>&nbsp;</P><P>This is what I need. Again I thank you for the information.</P><P>&nbsp;</P><P>Eholz1</P> Fri, 28 Jul 2023 16:48:34 GMT https://community.splunk.com/t5/Splunk-Search/Create-splunk-chart-from-seach-with-totals-over-time/m-p/652404#M225493 eholz1 2023-07-28T16:48:34Z