Solved: Re: Accumulation for all fields in a timechart

RubenF · ‎06-13-2022

Hi,

I have a timechart with the revenue of several shops (each shop is a field) over the month. I want to know the accumulate revenue of each shop over time so that if a shop earned 5$ on monday and 7$ on tuesday then on tuesday the graph will show 12$.

I know that the command accum does that for a given field but I don't know ahead how many fields there will be.

Example:

A   B    C                A    B    C
8   3    5       ->       8    3    5
6   7    4                14   10   9
2   5    9                16   15   18

This is my code until now:

<something>
| timechart span=1d sum(revenue) by shop
| accum A | accum B | accum C

The goal is for the fields to be dynamic and not hardcoded!

Thank you

PickleRick · ‎06-13-2022

Use streamstats with sum() aggregation.

Example:

| makeresults count=10 
| eval a=1,b=2,c=3
| streamstats sum(*) as sum*

View solution in original post

RubenF · ‎06-13-2022

Works perfectly! Thank you

PickleRick · ‎06-13-2022

Use streamstats with sum() aggregation.

Example:

| makeresults count=10 
| eval a=1,b=2,c=3
| streamstats sum(*) as sum*

How do I calculate Accumulation for all fields in a timechart

timechart

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Are you a member of the Splunk Community?

How do I calculate Accumulation for all fields in a timechart

timechart

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler