Splunk Search

## Getting cumulative total into chart

Explorer

I have a dataset like:

quarter,faculty, people
2016-Q1,LAW,2
2016-Q1,EDUCATION,2
2017-Q1,LAW,5
2017-Q1,LAW,1
2017-Q1,EDUCATION,3
2017-Q1,EDUCATION,4
2017-Q1,EDUCATION,2

I'm trying to get the cumulative total by quarter of people per faculty

And display this in a chart so that the people count is on the y axis, the quarter is on the x-axis and the graph is stacked by faculty.

e.g.

I can get the (summed) people count as a chart, by doing this:

search | chart sum(people) over quarter by faculty

So the data would look like:

2016-Q1
LAW = 2
EDUCATION = 2

2016-Q2
LAW = 0
EDUCATION = 0

2017-Q1
LAW=6
EDUCATION = 9

But I want to get the cumulative people count, so that the counts end up more like

2016-Q1
LAW = 2
EDUCATION = 2

2016-Q2
LAW = 2
EDUCATION = 2

LAW = 8
EDUCATION = 11

I know there is an accum function but I can't get this to play with chart.

Any ideas how to do this?

Tags (1)
1 Solution
Revered Legend

Assuming that the faculty name can be dynamic, try something like this. THis will give cumulative sum of all faculty column without specifying a name.

``````your base search  | chart sum(people) over quarter by faculty
| streamstats sum(*) as *
``````
Revered Legend

Assuming that the faculty name can be dynamic, try something like this. THis will give cumulative sum of all faculty column without specifying a name.

``````your base search  | chart sum(people) over quarter by faculty
| streamstats sum(*) as *
``````
Explorer

Thank you. This does exactly what I want.

Legend

`````` <Your exiting Search with chart as base search>
| accum LAW as Cumu_LAW
| accum EDUCATION as Cumu_EDUCATION
``````

Then you need to enable Chart Overlay for all Cumu_* fields and View as Axis should be turned on. You can do the same by editing the Visualization in Splunk Web UI or else through Splunk CHart reference

``````<charting.chart.overlayfields>Cumu_LAW ,Cumu_BUSINESS,Cumu_EDUCATION</charting.chart.overlayfields>
<charting.Y2.enabled>1</charting.Y2.enabled>
<charting.Y2.scale>linear</charting.Y2.scale>
``````
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!

#### 3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

#### What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

#### Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...