Splunk Search

Cumulate previous values in timechart

yAlff
Path Finder

Hi,

I'm looking for a function to cumulate previous values in a timechart. Means that I can see a real-time development of a software roll-out - distincted by a UID. The result should look as a ramp.

My search string looks like this:

sourcetype="foo" devicetype="Bob" | timechart dc(uid) as totale by boxsw | addtotals

This table as an example of the desired results:

Time   # events   w/ new sw    cumulated
Day 1       128         128          128
Day 2       230         102          230
Day 3       220          78          308

So at Day 3 in the example, there are 308 devices with the new software AND it is clear to see, that it doesn't depend primary on how many events where registered.

I just tried streamstats like mentioned in the first comment (that was made according to a badly formulated question...), but it doesn't give me the result I need. (As a first step I would be happy, if there where any cumulated results)

So, I'm looking forward to seeing an instructive answer to my question 🙂

Regards 😉

Tags (3)
0 Karma
1 Solution

gfuente
Motivator

Hello

As you are not providing any examples of the data or querys, I just can guess that you need to use the streamstats command:

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Streamstats

Regards

View solution in original post

0 Karma

gfuente
Motivator

Hello

As you are not providing any examples of the data or querys, I just can guess that you need to use the streamstats command:

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Streamstats

Regards

0 Karma

gfuente
Motivator

Ok

Now with this additional info, i think you can use the accum command, to calculate the 3º column:

| accum thefielyouwanttoacummulate AS accumulated_field

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Accum

Regards

0 Karma

yAlff
Path Finder

Please apologize, I put my question in a hurry and didn't formulate it well. Please see my updated question.

Thank you for your advise 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...