Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I do a cumulative timechart with dedup?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I do a cumulative timechart with dedup?
I've got some data with three applicable fields, hostname, requirement, and requirementstatus. Each day I may receive hundreds of log for a single hostname, or none at all. a stream of logs might look like
>hostname="comp1" requirement=foo requirementstatus=failed
>hostname="comp1" requirement=bar requirementstatus=passed
>hostname="comp1" requirement=foo requirementstatus=passed
>hostname="comp1" requirement=bar requirementstatus=passed
I can get the current requirementstatus for each requirement with
>|dedup 1 hostname,requirement sortby - _time|table hostname,requirement,requirementstatus
but how do i get the current, cumulative status per day in a timechart?
- So on day one, I have 50 hostnames with a requirement "foo" and 25 have a requirementstatus of "passed" and 25 "failed"
- Day two, 10 hostnames that previously had a requirementstatus of "failed" are now "passed", and they're the only logs received on day two
my chart when filtered to requirement "foo" should show day1 with 25 passes and 25 fails, day 2 with 35 passes and 15 fails.
I appreciate any insight you can give.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is one way to do one requirement:
requirement=foo
| timechart
count(eval(requirementstatus="passed")) as passes,
count(eval(requirementstatus="failed")) as fails
by hostname
| streamstats sum(passes) as cumsum_passes, sum(fails) as cumsum_fails
It sounds like you are mostly looking for the streamstats command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I thought it worked, but it's not able to decrease count. So if a fail later becomes a pass, it will +1 the pass, but the fail count stays the same, due to losing the
|dedup 1 hostname,requirement sortby - _time
functionailty. but I think this might also be solvable with streamstats. I'll dig further in. Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do some tricky work probably with case to make the success equal to 1, and the fail equal to -1 - then you can use streamstats sum to add it up and have the failures decrease the total.
|bucket span=1d _time
|chart
count(eval(requirementstatus="passed")) as passesPerPeriod,
count(eval(requirementstatus="failed")) as failsperPeriod
| eval requirementstatus_count = case(
requirementstatus="passed", 1,
requirementstatus="failed", -1)
| streamstats
sum(passesPerPeriod) as CumulativePassed
sum(failsperPeriod) as CumulativeFailed
sum(requirementstatus_count) as period_balanced_total
Or something of the sort ... ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or if you need the period balanced total by time-bucket
|bucket span=1d _time
|chart
count(eval(requirementstatus="passed")) as passesPerPeriod,
count(eval(requirementstatus="failed")) as failsperPeriod
| eval requirementstatus_count = case(
requirementstatus="passed", 1,
requirementstatus="failed", -1)
| streamstats
sum(passesPerPeriod) as CumulativePassed
sum(failsperPeriod) as CumulativeFailed
| eventstats sum(requirementstatus_count) as period_balanced_total by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
|bucket span=1d _time
|chart
count(eval(requirementstatus="passed")) as passesPerPeriod,
count(eval(requirementstatus="failed")) as failsperPeriod
by _time
| streamstats sum(passesPerPeriod) as CumulativePassed, sum(failsperPeriod) as CumulativeFailed
works splendidly. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess what i'm trying to do is have my timechart bins be day1, day1+2, day1+2+3, etc., if that makes any sense.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
