Knowledge Management

accum command examples

logloganathan
Motivator

Could anyone please provide the example to learn the accum command.
i never used this command so i need some example to learn.

Tags (2)
0 Karma
1 Solution

elliotproebstel
Champion

The accum command calculates a running total of the values in a specified field. Here's a very short run-anywhere example:

| makeresults 
| eval a=5 
| append 
    [| makeresults 
    | eval a=1 ] 
| append 
    [| makeresults 
    | eval a=7 ] 
| accum a AS b

This will create a table with the _time that the events were generated, the field a (which is assigned the values 5, 1, and 7) and the field b (which contains a running total of the values from field a: 5, 6, 13). If you don't specify the AS clause, the accum command will store the running total in the source field:

| makeresults 
| eval a=5 
| append 
    [| makeresults 
    | eval a=1 ] 
| append 
    [| makeresults 
    | eval a=7 ] 
| accum a

This will just give you a table with the _time field and the field a, which no longer contains the original source values but only the running total of the source values.

View solution in original post

0 Karma

niketn
Legend

You should read splunk documentation on accum command:

Try the following run anywhere search based on your Splunk's _internal index

index=_internal sourcetype=splunkd log_level!="INFO"
| stats count as Total by component
| accum Total as cumulativeTotal

You can use accum command for generating serial number for number of results displayed in a table

index=_internal sourcetype=splunkd log_level!="INFO"
| stats count as Total by component
| eval sno=1
| accum sno

You can also learn streamstats command which can perform the operation of accum command and much more. Also Similar to how accum command performs cumulative total of specific field in streaming manner, delta command can give you cumulative difference, so read about that as well.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

elliotproebstel
Champion

The accum command calculates a running total of the values in a specified field. Here's a very short run-anywhere example:

| makeresults 
| eval a=5 
| append 
    [| makeresults 
    | eval a=1 ] 
| append 
    [| makeresults 
    | eval a=7 ] 
| accum a AS b

This will create a table with the _time that the events were generated, the field a (which is assigned the values 5, 1, and 7) and the field b (which contains a running total of the values from field a: 5, 6, 13). If you don't specify the AS clause, the accum command will store the running total in the source field:

| makeresults 
| eval a=5 
| append 
    [| makeresults 
    | eval a=1 ] 
| append 
    [| makeresults 
    | eval a=7 ] 
| accum a

This will just give you a table with the _time field and the field a, which no longer contains the original source values but only the running total of the source values.

0 Karma

logloganathan
Motivator

wow...very detailed explanation

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @logloganathan,

The accum command calculates a running total or sum of the numbers. The accumulated sum can be returned to either the same field, or a newfield that you specify.

See this example:

| gentimes start=1 end=10 | eval sr_no=1 | accum sr_no | table sr_no 

| gentimes start=1 end=10 | eval sr_no=2 | accum sr_no | table sr_no 

| gentimes start=1 end=10 | eval sr_no=3 | accum sr_no as NO  | table sr_no NO

https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Accum

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...