Hi all,

I have the following basic search - and I'm having trouble getting monthly accumulated plot of paths changed grouped change number. For reference a change number could have a number of distinct paths contained in it. Change numbers can happen anytime. If I have some source data

change     path      date      user
1001       /a/b     1-1-2001   bob
1002       /a/b     1-1-2001   joe
1002       /a/c     1-1-2001   joe
1002       /a/d     1-1-2001   joe
1002       /a/e     1-1-2001   joe
1003       /a/c     2-1-2001   jon
1003       /a/d     2-1-2001   jon
1004       /a/d     3-1-2001   bob

Now I know how to correctly group the data.

source=icm_data | stats dc(path) by change

This give me the right columns on how I want them initially lumped together.

change | dc(path)
1001         1
1002         5
1003         2
1004         1

Now what I want is a simple plot that shows x is the monthly number and T is the total

9      --    --    -T          
8      --    -T    --
7      --    --    --     
6      xT    --    -- 
5      --    --    --    
4      --    --    --     
3      --    --    --       
2      --    x-    --
1      --    --    x-    
0      --    --    --
 Mo   Jan   Feb   Mar

I'm aware of this answer - but I can't seem to get it to work with my dataset.

http://answers.splunk.com/answers/102444/cumulative-sum-in-splunk.html