Splunk Search

How to add previous data to a number from another field, and put it as the current data?

vickyocc53
New Member

I have 3 main fields: _time, total_vehicle, and changes. total_vehicle is only generate periodically and I would like to find out what is happening in between with the "changes" field. Just plainly putting them in table I get:

  _time     min(vehicle_count)  change
    2017-03-15 00:32:00 18   
    2017-03-15 00:34:00     1
    2017-03-15 00:35:00     1
    2017-03-15 00:36:00     1
    2017-03-15 01:25:00     -1
    2017-03-15 01:26:00     -1
    2017-03-15 01:27:00     -1
    2017-03-15 01:28:00     -1
    2017-03-15 01:55:00 17   
    2017-03-15 04:51:00 17   
    2017-03-15 04:59:00     1
    2017-03-15 05:03:00

What I wish to obtain is to concatenate them into one single cumulative table:

  _time     min(vehicle_count)
    2017-03-15 00:32:00 18   
    2017-03-15 00:34:00 19
    2017-03-15 00:35:00 20
    2017-03-15 00:36:00 21
    2017-03-15 01:25:00 20
    2017-03-15 01:26:00 19
    2017-03-15 01:27:00 18
    2017-03-15 01:28:00 17
    2017-03-15 01:55:00 17
    and etc

Does anyone have any idea on how I might be able to achieve that?

0 Karma

niketn
Legend

You should be able to use accum command to achieve what you need.
If you are using timechart command to aggregate vehicle_count using min(), you can use as to provide it a simple alias to be reused further down the query for example.

| timechart min(vehicle_count) as vehicle_count 
| accum vehicle_count as vehicle_count 

If you wish to retain existing fields you can provide a new name after as.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...