topic Re: How to use a running total/accumulated value as a starting input for a timechart, but not display this data point? in Splunk Search

How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

Sukisen1981 — Tue, 02 Aug 2016 17:38:01 GMT

I have a reqquirement as follows:
I have a time chart with 3 fields
A,B,C

C=A-B+previous value of C in row immediately above.

Example:

1st Row              A     B    C
                     8     3    5
2nd row and so on    A     B    C
                     6     7    4(6-7+5)

Now, I have built the time chart using accum C, defining eval C=A-B...which woks perfectly, question is - this is continuous data from 3 years back. For example, if I am asked to show a timechart / time wise depiction for say last 3 weeks - till now.... the chart breaks down, as the accumulation for the first row 3 weeks ago just takes A-B, whereas it should take the accumulated value of C from the immediate row above. However, since the chart is now being pulled from 3 weeks ago, it does not find any accumulated value of for the 1st row for 3 week old data pull.

In other words - is there a way to limit timechart to just visually start from any point in the past BUT somehow use the running total/accumulated value as a starting input while limiting the time chart?

Re: How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

Sukisen1981 — Tue, 02 Aug 2016 18:59:16 GMT

Hi gals n guys - Sorry please disregard this , i found out what I wanted.

Took the total index query at first, placed join on _time with the later , later being selected for last 3 weeks.
_time columns join worked of course and the values from the first join for the common (last 3 weeks) flowed into the common join table. Just did some last clean up with fields - and removed a couple of columns from the second join that I did no need.

But makes me wonder is there a way to suppress first N rows returned from a timechart without condition by just specifying N - number of rows needed to be removed..could be 1 could be 5/6 etc.

Re: How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

sundareshr — Tue, 02 Aug 2016 19:51:49 GMT

How are you going to specify N? To suppress the first N rows, you can do reverse | head N | reverse where N=Total-N

Re: How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

Sukisen1981 — Wed, 03 Aug 2016 21:17:27 GMT

This works well..N is passed from a filter where user enters the past number of weeks he/she wants to see the results from..thanks a lot! answer accepted, query looks much smaller and trimmer by your solution.

Re: How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

Sukisen1981 — Wed, 03 Aug 2016 21:21:48 GMT

what is the more efficient way, though? both the solutions work but in the long run which will put less load on the search?

Re: How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

Sukisen1981 — Thu, 04 Aug 2016 06:17:26 GMT

what is the more efficient way, though? both the solutions work but in the long run which will put less load on the search?