display cummulative sum in timechart

kirrusk · ‎08-17-2021

I'm trying to display the cumulative sum in the timechart.

two sourcetypes

index= _internal  | [search sourcetype=source1 clu=*  value=* | rename value as source1value]
| appendcols [search sourcetype=source2 clu=*  value=* | rename value as source2value] 
| table  source1value source2value
| eval res=source2value-source1value 
| stats sum(res)

up to here giving the sum of res, I need to display this cumulative sum in the time chart.

Can anyone suggest how I can achieve this?

ITWhisperer · ‎08-17-2021

| streamstats sum(res)

kirrusk · ‎08-17-2021

@ITWhisperer is giving time chart series in exponential form, But I need cumulative data on the time chart.

ITWhisperer · ‎08-17-2021

Please explain what you understand by cumulative as I assumed it was a cumulative or running total which is what streamstats is doing for you?

kirrusk · ‎08-17-2021

@ITWhisperer I have data like sum(res)
in the table, It will give only a single result.

sum(res)
256

Want to display this value in time series, each point of time has to show sum(res) only.
Is that possible?

ITWhisperer · ‎08-17-2021

Yes, replace stats sum(res) with streamstats sum(res)

display cummulative sum in timechart

using Splunk Enterprise

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!