Solved: How to get cumulative numbers

xvxt006 · ‎01-13-2014

Hi,

I am getting number of orders per hour and last week same hour orders and delta percentage. i run this every hour (using basic schedule) to get previous hour orders in an email. Now i want to get cumulative totals. How can we accomplish this in a scheduled search.

For example hour1 have below numbers and hour2, it should be total of hour1+hour2. Hour3 it should be Hour1+Hour2+Hour3.

Measure Value
OrdersLastHour 1181
OrdersLastWeekSameHour 734
OrderDeltaPct 60.90

jbrodsky_splunk · ‎01-14-2014

Try using accum.

... | bucket _time span=1h | stats count by _time |accum count as total_count

View solution in original post

jbrodsky_splunk · ‎01-14-2014

Try using accum.

... | bucket _time span=1h | stats count by _time |accum count as total_count

jbrodsky_splunk · ‎01-14-2014

Try:

earliest=-week-1h latest=-week

Then run it every hour...

xvxt006 · ‎01-14-2014

Thank you. one question is, as i want to compare today vs last week by hour, how can i specify time so that every hour when i run the scheduled search it runs for this hour last week. Meaning if it is 1 pm today, it will get the numbers till 1 pm today and last week same day it should run till 1 pm. After another hour it should run till 2 pm, etc. is it possible to specify the time interval in such a way?

jbrodsky_splunk · ‎01-14-2014

There's no time range specified in my search - it will work against whatever time range you specify. If you want to do last full week, prepend it with:

earliest=-7d@w0 latest=@w7

xvxt006 · ‎01-14-2014

Thank you. I will try. Does this work even for numbers for same time last week?

How to get cumulative numbers

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor