topic Re: How to search the cumulative sum for multiple fields and chart them by day? in Splunk Search

How to search the cumulative sum for multiple fields and chart them by day?

theouhuios — Tue, 30 Jun 2015 13:00:23 GMT

Hello

I am trying to get a cumulative sum of multiple fields and then chart them. Problem is, I can use accum on only ONE field at a time. The fields are dynamic, so I need something which will calculate the cumulative value for fields which start with AWS-*

The fields look like below

There can be other tags too like AWS-S3 etc depending on the filters which people pick. So Is there a way to get a cumulative value of each field as its own field ( cumulative value of AWs-EC2 as accum _AWS-EC2etc) ?

Search:

 index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag|accum AWS-EC2 as accum_AWS-EC2|accum AWS-EMR as accum_AWS-EMR

UPDATE: Updated the question. I am trying to get the cumulative value by Day

Re: How to search the cumulative sum for multiple fields and chart them by day?

woodcock — Tue, 30 Jun 2015 13:20:44 GMT

Try this:

... | streamstats sum(AWS-*)

or this:

... | stats sum(AWS-*)

Re: How to search the cumulative sum for multiple fields and chart them by day?

theouhuios — Tue, 30 Jun 2015 13:30:11 GMT

Sorry, I should have been more Clear. I need to get a cumulative value by each day so that I can just chart the cumulative values of all AWS-* , stack them up which would give the total value for the day along with the ProductName.

Re: How to search the cumulative sum for multiple fields and chart them by day?

DavidHourani — Tue, 30 Jun 2015 13:34:41 GMT

What search command are you currently using ?

Re: How to search the cumulative sum for multiple fields and chart them by day?

ngatchasandra — Tue, 30 Jun 2015 13:38:05 GMT

Hi,

Try with

....| streamstats sum(AWS-*) as AWS-*_accum |timechart    AWS-*_accum  span=1d

Re: How to search the cumulative sum for multiple fields and chart them by day?

woodcock — Tue, 30 Jun 2015 13:40:13 GMT

OK, based on your clarification, do this:

... | bucket _time span=1d | stats sum(AWS-*) by _time | addcoltotals

Or this (still not sure if you need accum or sum):

... | bucket _time span=1d | streamstats sum(AWS-*) by _time

The bucket part may not be necessary (if your data matches what you show).

Re: How to search the cumulative sum for multiple fields and chart them by day?

theouhuios — Tue, 30 Jun 2015 13:42:53 GMT

Updated the search

Re: How to search the cumulative sum for multiple fields and chart them by day?

fdi01 — Tue, 30 Jun 2015 13:46:40 GMT

try like:

...| bucket _time span=1d |streamstats sum(AWS-*) by _time |

Re: How to search the cumulative sum for multiple fields and chart them by day?

theouhuios — Tue, 30 Jun 2015 13:46:54 GMT

Updated the question with the search. AWs-* field are basically values of field called ProductName.

Re: How to search the cumulative sum for multiple fields and chart them by day?

ngatchasandra — Tue, 30 Jun 2015 13:49:56 GMT

Try also with accum command which create a cumulative sum:

 ....| accum sum AWS-* as AWS-*_accum |timechart    AWS-*_accum  span=1d

Re: How to search the cumulative sum for multiple fields and chart them by day?

theouhuios — Tue, 30 Jun 2015 13:51:23 GMT

This wouldn't work . If I do it after the timechart it would give me the same value since at a given _time value there is only one corresponding AWS-EC2 or AWS-EMR value. If I do this before my timechart, there is no field called AWS-*

Re: How to search the cumulative sum for multiple fields and chart them by day?

theouhuios — Tue, 30 Jun 2015 13:55:22 GMT

addcoltotals will give me a cumulative value for all the fields.. Problem is I need it to add by day.. Like accum which keeps adding the field above the the current field and keeps going on. This would basically give me the TOTAL cost till that day, for everyday.

Re: How to search the cumulative sum for multiple fields and chart them by day?

theouhuios — Tue, 30 Jun 2015 14:00:47 GMT

Amazing. Such a simple function and it solved the issue.

Re: How to search the cumulative sum for multiple fields and chart them by day?

woodcock — Tue, 30 Jun 2015 14:32:42 GMT

This will work:

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | streamstats current=t sum(AWS*) BY _time

But I think you are not looking for a running total (which is what accum and streamstats do) but rather a daily sum, right? If so then do this:

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | stats sum(AWS*) BY _time

Or, to keep the table as-is and just add a column, do this

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | eventstats sum(AWS*) BY _time