Splunk Search
Highlighted

How to add previous data to a number from another field, and put it as the current data?

New Member

I have 3 main fields: time, totalvehicle, and changes. total_vehicle is only generate periodically and I would like to find out what is happening in between with the "changes" field. Just plainly putting them in table I get:

  _time     min(vehicle_count)  change
    2017-03-15 00:32:00 18   
    2017-03-15 00:34:00     1
    2017-03-15 00:35:00     1
    2017-03-15 00:36:00     1
    2017-03-15 01:25:00     -1
    2017-03-15 01:26:00     -1
    2017-03-15 01:27:00     -1
    2017-03-15 01:28:00     -1
    2017-03-15 01:55:00 17   
    2017-03-15 04:51:00 17   
    2017-03-15 04:59:00     1
    2017-03-15 05:03:00

What I wish to obtain is to concatenate them into one single cumulative table:

  _time     min(vehicle_count)
    2017-03-15 00:32:00 18   
    2017-03-15 00:34:00 19
    2017-03-15 00:35:00 20
    2017-03-15 00:36:00 21
    2017-03-15 01:25:00 20
    2017-03-15 01:26:00 19
    2017-03-15 01:27:00 18
    2017-03-15 01:28:00 17
    2017-03-15 01:55:00 17
    and etc

Does anyone have any idea on how I might be able to achieve that?

0 Karma
Highlighted

Re: How to add previous data to a number from another field, and put it as the current data?

Legend

You should be able to use accum command to achieve what you need.
If you are using timechart command to aggregate vehicle_count using min(), you can use as to provide it a simple alias to be reused further down the query for example.

| timechart min(vehicle_count) as vehicle_count 
| accum vehicle_count as vehicle_count 

If you wish to retain existing fields you can provide a new name after as.




| eval message="Happy Splunking!!!"


0 Karma