Hi,

I'm looking for a function to cumulate previous values in a timechart. Means that I can see a real-time development of a software roll-out - distincted by a UID. The result should look as a ramp.

My search string looks like this:

sourcetype="foo" devicetype="Bob" | timechart dc(uid) as totale by boxsw | addtotals

This table as an example of the desired results:

Time   # events   w/ new sw    cumulated
Day 1       128         128          128
Day 2       230         102          230
Day 3       220          78          308

So at Day 3 in the example, there are 308 devices with the new software AND it is clear to see, that it doesn't depend primary on how many events where registered.

I just tried streamstats like mentioned in the first comment (that was made according to a badly formulated question...), but it doesn't give me the result I need. (As a first step I would be happy, if there where any cumulated results)

So, I'm looking forward to seeing an instructive answer to my question 🙂

Regards 😉