Splunk Search

## How to calculate N series of values?

New Member

My table look like this

## Date/Time Name Value

26/6/2014 1:00 Foo 10
26/6/2014 2:00 foo 100 ..................Highest value of the day
26/6/2014 3:00 foo 0
..
...
..
26/6/2014 24:00 foo 0
27/6/2014 00:00 foo 0
.....
...............
..................
27/6/2014 8:00 foo 50
27/6/2014 9:00 foo 150 ................................. highest value of the day
......................
...................
27/6/2014 24:00 foo 0
28/6/2014 00:00 foo 0
........................
...........................

28/6/2014 12:00 foo 100
28/6/2014 13:00 foo 160 ..............................Highest value of the day
............................
.....................

I want the output and it would be looks

## Date/Time Name Value

26/6/2014 1:00 Foo 10
26/6/2014 2:00 foo 100 ..................Highest value of the day
26/6/2014 3:00 foo 0+100
.26/6/2014 4:00 foo 0+100.
...
26/6/2014 22:00 foo 0+100
26/6/2014 23:00 foo 0+100.
26/6/2014 24:00 foo 0+100
27/6/2014 00:00 foo 0+100 ( This Value 100 is highest value of 26th date need to add on next date value)
27/6/2014 01:00 foo 0+100
.....
...............
..................
27/6/2014 06:00 foo 0+100
27/6/2014 07:00 foo 0+100
27/6/2014 08:00 foo 50+100
27/6/2014 09:00 foo 150 +100................................. highest value of the day
......................
...................
27/6/2014 24:00 foo 0+150+100
28/6/2014 00:00 foo 0+150+100 ( This Value 150+100= 250 is highest value on 27th date need to add on next date values)
28/6/2014 01:00 foo 0+150+100
........................
...........................
28/6/2014 10:00 foo 0+150+100
28/6/2014 11:00 foo 0+150+100
28/6/2014 12:00 foo 100+150+100
28/6/2014 13:00 foo 160 +150+100..............................Highest value of the day
28/6/2014 14:00 foo 0+160 +150+100.
28/6/2014 15:00 foo 0+160 +150+100.
28/6/2014 16:00 foo 0+160 +150+100.
..................................
....................................
..........................................
28/6/2014 24:00 foo 0+160 +150+100.( This Value 160+150+100= 410 is highest value on 28th date need to add on next date values)...
so...on

How to do search query for the above table.

Tags (2)
Revered Legend

See if this is what you want. Use _internal data for scheduler sourcetype. This should work on any Splunk instance.

``````index=_internal sourcetype=scheduler earliest=-3d | bucket span=1h _time | stats count by _time sourcetype | eval Day=strftime(_time,"%Y-%m-%d")  | eventstats max(count) as max by Day sourcetype | eval max=if(max=count,max,0) | eval DayMax=max | accum max | eval newcount=max+count | fields - Day max
``````
Get Updates on the Splunk Community!

#### .conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

#### ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

#### Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...