- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Getting cumulative total into chart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dataset like:
quarter,faculty, people
2016-Q1,LAW,2
2016-Q1,BUSINESS,11
2016-Q1,EDUCATION,2
2016-Q2,BUSINESS,11
2016-Q2,BUSINESS,7
2017-Q1,LAW,5
2017-Q1,LAW,1
2017-Q1,EDUCATION,3
2017-Q1,EDUCATION,4
2017-Q1,EDUCATION,2
I'm trying to get the cumulative total by quarter of people per faculty
And display this in a chart so that the people count is on the y axis, the quarter is on the x-axis and the graph is stacked by faculty.
e.g.
I can get the (summed) people count as a chart, by doing this:
search | chart sum(people) over quarter by faculty
So the data would look like:
2016-Q1
LAW = 2
BUSINESS = 11
EDUCATION = 2
2016-Q2
LAW = 0
BUSINESS = 18
EDUCATION = 0
2017-Q1
LAW=6
BUSINESS = 0
EDUCATION = 9
But I want to get the cumulative people count, so that the counts end up more like
2016-Q1
LAW = 2
BUSINESS = 11
EDUCATION = 2
2016-Q2
LAW = 2
BUSINESS = 29
EDUCATION = 2
LAW = 8
BUSINESS = 29
EDUCATION = 11
I know there is an accum function but I can't get this to play with chart.
Any ideas how to do this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that the faculty name can be dynamic, try something like this. THis will give cumulative sum of all faculty column without specifying a name.
your base search | chart sum(people) over quarter by faculty
| streamstats sum(*) as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming that the faculty name can be dynamic, try something like this. THis will give cumulative sum of all faculty column without specifying a name.
your base search | chart sum(people) over quarter by faculty
| streamstats sum(*) as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This does exactly what I want.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just add the following to your existing query
<Your exiting Search with chart as base search>
| accum LAW as Cumu_LAW
| accum BUSINESS as Cumu_BUSINESS
| accum EDUCATION as Cumu_EDUCATION
Then you need to enable Chart Overlay for all Cumu_* fields and View as Axis should be turned on. You can do the same by editing the Visualization in Splunk Web UI or else through Splunk CHart reference
<charting.chart.overlayfields>Cumu_LAW ,Cumu_BUSINESS,Cumu_EDUCATION</charting.chart.overlayfields>
<charting.Y2.enabled>1</charting.Y2.enabled>
<charting.Y2.scale>linear</charting.Y2.scale>
| makeresults | eval message= "Happy Splunking!!!"
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
