Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Accumulated sum with a dc value.

sklass
Path Finder
‎05-11-2015 09:28 PM

Hi all,

I have the following basic search - and I'm having trouble getting monthly accumulated plot of paths changed grouped change number. For reference a change number could have a number of distinct paths contained in it. Change numbers can happen anytime. If I have some source data

change     path      date      user
1001       /a/b     1-1-2001   bob
1002       /a/b     1-1-2001   joe
1002       /a/c     1-1-2001   joe
1002       /a/d     1-1-2001   joe
1002       /a/e     1-1-2001   joe
1003       /a/c     2-1-2001   jon
1003       /a/d     2-1-2001   jon
1004       /a/d     3-1-2001   bob

Now I know how to correctly group the data.

source=icm_data | stats dc(path) by change

This give me the right columns on how I want them initially lumped together. 

change | dc(path)
1001         1
1002         5
1003         2
1004         1

Now what I want is a simple plot that shows x is the monthly number and T is the total

9      --    --    -T          
8      --    -T    --
7      --    --    --     
6      xT    --    -- 
5      --    --    --    
4      --    --    --     
3      --    --    --       
2      --    x-    --
1      --    --    x-    
0      --    --    --
 Mo   Jan   Feb   Mar

I'm aware of this answer - but I can't seem to get it to work with my dataset.

http://answers.splunk.com/answers/102444/cumulative-sum-in-splunk.html

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-19-2015 08:42 AM

Try this (I may have it backwards and you might have to change sort 0 - date to sort 0 date😞

source=icm_data | stats count AS CountBYDatePath BY date,path | sort 0 - date | streamstats sum(CountBYDatePath) AS accumulation by path

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-19-2015 08:42 AM

Try this (I may have it backwards and you might have to change sort 0 - date to sort 0 date😞

source=icm_data | stats count AS CountBYDatePath BY date,path | sort 0 - date | streamstats sum(CountBYDatePath) AS accumulation by path
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...