Splunk Search

Cumulate previous values in timechart

yAlff
Path Finder

Hi,

I'm looking for a function to cumulate previous values in a timechart. Means that I can see a real-time development of a software roll-out - distincted by a UID. The result should look as a ramp.

My search string looks like this:

sourcetype="foo" devicetype="Bob" | timechart dc(uid) as totale by boxsw | addtotals

This table as an example of the desired results:

Time   # events   w/ new sw    cumulated
Day 1       128         128          128
Day 2       230         102          230
Day 3       220          78          308

So at Day 3 in the example, there are 308 devices with the new software AND it is clear to see, that it doesn't depend primary on how many events where registered.

I just tried streamstats like mentioned in the first comment (that was made according to a badly formulated question...), but it doesn't give me the result I need. (As a first step I would be happy, if there where any cumulated results)

So, I'm looking forward to seeing an instructive answer to my question 🙂

Regards 😉

Tags (3)
0 Karma
1 Solution

gfuente
Motivator

Hello

As you are not providing any examples of the data or querys, I just can guess that you need to use the streamstats command:

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Streamstats

Regards

View solution in original post

0 Karma

gfuente
Motivator

Hello

As you are not providing any examples of the data or querys, I just can guess that you need to use the streamstats command:

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Streamstats

Regards

0 Karma

gfuente
Motivator

Ok

Now with this additional info, i think you can use the accum command, to calculate the 3º column:

| accum thefielyouwanttoacummulate AS accumulated_field

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Accum

Regards

0 Karma

yAlff
Path Finder

Please apologize, I put my question in a hurry and didn't formulate it well. Please see my updated question.

Thank you for your advise 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...