Hi,
I'm looking for a function to cumulate previous values in a timechart. Means that I can see a real-time development of a software roll-out - distincted by a UID. The result should look as a ramp.
My search string looks like this:
sourcetype="foo" devicetype="Bob" | timechart dc(uid) as totale by boxsw | addtotals
This table as an example of the desired results:
Time # events w/ new sw cumulated
Day 1 128 128 128
Day 2 230 102 230
Day 3 220 78 308
So at Day 3 in the example, there are 308 devices with the new software AND it is clear to see, that it doesn't depend primary on how many events where registered.
I just tried streamstats like mentioned in the first comment (that was made according to a badly formulated question...), but it doesn't give me the result I need. (As a first step I would be happy, if there where any cumulated results)
So, I'm looking forward to seeing an instructive answer to my question 🙂
Regards 😉
Hello
As you are not providing any examples of the data or querys, I just can guess that you need to use the streamstats command:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Streamstats
Regards
Hello
As you are not providing any examples of the data or querys, I just can guess that you need to use the streamstats command:
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Streamstats
Regards
Ok
Now with this additional info, i think you can use the accum command, to calculate the 3º column:
| accum thefielyouwanttoacummulate AS accumulated_field
http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Accum
Regards
Please apologize, I put my question in a hurry and didn't formulate it well. Please see my updated question.
Thank you for your advise 🙂