Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Count when sum reaches specific number then start over.

AlexMcDuffMille
Communicator
‎01-23-2014 01:36 PM

Hello,

I have data that shows the number of items I'm counting by item number. Is there a way to count when I have a certain amount of items, then reset the count back to zero? I could do something like | eval number=sum(field)/value, but then I wouldn't get the timestamp of when that count rolled over.

For example, I want to know when I have at least 5 items. So for this data I would want it to show a graph with values on day 2, day 3, and day 5, since that's when the count got high enough to be 5. 

day1   2
day2   3
day3   6
day4   1
day5   5
Reply
1 Solution
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2014 02:05 PM

Try the following:

<base_search> | stats count by day | accum count as accum_cnt | eval accum_cnt = if(accum_cnt>=5,0,accum_cnt)

This will aggregate the counts by the day. Then it will start running the cumulative for your count by day. When it reaches a value of 5 or greater it will change it to 0. Look for days with a value of 0.

If you want to save the value that it hit which equates to above 5 you can try something like this:

<base_search> | stats count by day | accum count as accum_cnt | eval accum_cnt_over = if(accum_cnt>=5,accum_cnt,0) | eval accum_cnt = if(accum_cnt>=5,0,accum_cnt) | where accum_cnt_over>0

Hope this helps

View solution in original post

Reply
Solved! Jump to solution

mkinsley_splunk
Splunk Employee
Splunk Employee
‎01-23-2014 10:53 PM

What you want is the modulo operator. It is essentially the remainder after a division operation. As the dividend increases, the remainder increases, until a number is reached that divides perfectly and thus the remainder resets to zero over and over again. Exactly what you are looking for.

Here is a sample query:

index=_internal  | stats count as cat_val by date_hour | accum cat_val as subtotal  | eval i = subtotal % 6

Notice that i cycles between 0 and 5 and then continues to cycle as you want.

Reply
Solved! Jump to solution

mkinsley_splunk
Splunk Employee
Splunk Employee
‎02-04-2014 09:25 AM

sure, can you give an example ?

0 Karma
Reply
Solved! Jump to solution

AlexMcDuffMille
Communicator
‎02-03-2014 09:34 AM

I think this is what I am looking for. Is there a way to take this to the next level and keep a running total of events based on what the value is in another column?

0 Karma
Reply
Solved! Jump to solution
Solution

aholzer
Motivator
‎01-23-2014 02:05 PM

Try the following:

<base_search> | stats count by day | accum count as accum_cnt | eval accum_cnt = if(accum_cnt>=5,0,accum_cnt)

This will aggregate the counts by the day. Then it will start running the cumulative for your count by day. When it reaches a value of 5 or greater it will change it to 0. Look for days with a value of 0.

If you want to save the value that it hit which equates to above 5 you can try something like this:

<base_search> | stats count by day | accum count as accum_cnt | eval accum_cnt_over = if(accum_cnt>=5,accum_cnt,0) | eval accum_cnt = if(accum_cnt>=5,0,accum_cnt) | where accum_cnt_over>0

Hope this helps

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-23-2014 02:05 PM

Can you provide sample data?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...