Solved: How to get cumulative numbers

xvxt006 · ‎01-13-2014

Hi,

I am getting number of orders per hour and last week same hour orders and delta percentage. i run this every hour (using basic schedule) to get previous hour orders in an email. Now i want to get cumulative totals. How can we accomplish this in a scheduled search.

For example hour1 have below numbers and hour2, it should be total of hour1+hour2. Hour3 it should be Hour1+Hour2+Hour3.

Measure Value
OrdersLastHour 1181
OrdersLastWeekSameHour 734
OrderDeltaPct 60.90

jbrodsky_splunk · ‎01-14-2014

Try using accum.

... | bucket _time span=1h | stats count by _time |accum count as total_count

View solution in original post

jbrodsky_splunk · ‎01-14-2014

Try using accum.

... | bucket _time span=1h | stats count by _time |accum count as total_count

jbrodsky_splunk · ‎01-14-2014

Try:

earliest=-week-1h latest=-week

Then run it every hour...

xvxt006 · ‎01-14-2014

Thank you. one question is, as i want to compare today vs last week by hour, how can i specify time so that every hour when i run the scheduled search it runs for this hour last week. Meaning if it is 1 pm today, it will get the numbers till 1 pm today and last week same day it should run till 1 pm. After another hour it should run till 2 pm, etc. is it possible to specify the time interval in such a way?

jbrodsky_splunk · ‎01-14-2014

There's no time range specified in my search - it will work against whatever time range you specify. If you want to do last full week, prepend it with:

earliest=-7d@w0 latest=@w7

xvxt006 · ‎01-14-2014

Thank you. I will try. Does this work even for numbers for same time last week?

How to get cumulative numbers

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes