Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

display cummulative sum in timechart

kirrusk
Communicator
‎08-17-2021 02:12 AM

I'm trying to display the cumulative sum in the timechart.

two sourcetypes 

index= _internal  | [search sourcetype=source1 clu=*  value=* | rename value as source1value]
| appendcols [search sourcetype=source2 clu=*  value=* | rename value as source2value] 
| table  source1value source2value
| eval res=source2value-source1value 
| stats sum(res)



up to here giving the sum of res, I need to display this cumulative sum in the time chart.

Can anyone suggest how I can achieve this?

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-17-2021 03:10 AM 
| streamstats sum(res)
0 Karma
Reply

kirrusk
Communicator
‎08-17-2021 05:04 AM

@ITWhisperer is giving time chart series in exponential form, But I need cumulative data on the time chart.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-17-2021 05:15 AM

Please explain what you understand by cumulative as I assumed it was a cumulative or running total which is what streamstats is doing for you?

0 Karma
Reply

kirrusk
Communicator
‎08-17-2021 05:44 AM

@ITWhisperer I have data like sum(res)
in the table, It will give only a single result.

sum(res)
256


Want to display this value in time series, each point of time has to show sum(res) only.
Is that possible?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-17-2021 05:50 AM

Yes, replace stats sum(res) with streamstats sum(res)

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...