Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate N series of values?

kkarthik2
Observer
‎08-05-2015 05:03 AM

My table look like this

Date/Time Name Value

26/6/2014 1:00 Foo 10
26/6/2014 2:00 foo 100 ..................Highest value of the day
26/6/2014 3:00 foo 0
..
...
..
26/6/2014 24:00 foo 0
27/6/2014 00:00 foo 0
.....
...............
..................
27/6/2014 8:00 foo 50
27/6/2014 9:00 foo 150 ................................. highest value of the day
......................
...................
27/6/2014 24:00 foo 0
28/6/2014 00:00 foo 0
........................
...........................

28/6/2014 12:00 foo 100
28/6/2014 13:00 foo 160 ..............................Highest value of the day
............................
.....................

I want the output and it would be looks

Date/Time Name Value

26/6/2014 1:00 Foo 10
26/6/2014 2:00 foo 100 ..................Highest value of the day
26/6/2014 3:00 foo 0+100
.26/6/2014 4:00 foo 0+100.
...
26/6/2014 22:00 foo 0+100
26/6/2014 23:00 foo 0+100.
26/6/2014 24:00 foo 0+100
27/6/2014 00:00 foo 0+100 ( This Value 100 is highest value of 26th date need to add on next date value)
27/6/2014 01:00 foo 0+100
.....
...............
..................
27/6/2014 06:00 foo 0+100
27/6/2014 07:00 foo 0+100
27/6/2014 08:00 foo 50+100
27/6/2014 09:00 foo 150 +100................................. highest value of the day
......................
...................
27/6/2014 24:00 foo 0+150+100
28/6/2014 00:00 foo 0+150+100 ( This Value 150+100= 250 is highest value on 27th date need to add on next date values)
28/6/2014 01:00 foo 0+150+100
........................
...........................
28/6/2014 10:00 foo 0+150+100
28/6/2014 11:00 foo 0+150+100
28/6/2014 12:00 foo 100+150+100
28/6/2014 13:00 foo 160 +150+100..............................Highest value of the day
28/6/2014 14:00 foo 0+160 +150+100.
28/6/2014 15:00 foo 0+160 +150+100.
28/6/2014 16:00 foo 0+160 +150+100.
..................................
....................................
..........................................
28/6/2014 24:00 foo 0+160 +150+100.( This Value 160+150+100= 410 is highest value on 28th date need to add on next date values)...
so...on

How to do search query for the above table.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎08-05-2015 08:58 AM

See if this is what you want. Use _internal data for scheduler sourcetype. This should work on any Splunk instance. 

index=_internal sourcetype=scheduler earliest=-3d | bucket span=1h _time | stats count by _time sourcetype | eval Day=strftime(_time,"%Y-%m-%d")  | eventstats max(count) as max by Day sourcetype | eval max=if(max=count,max,0) | eval DayMax=max | accum max | eval newcount=max+count | fields - Day max
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...