Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to calculate N series of values?

kkarthik2
Observer
‎08-05-2015 05:03 AM

My table look like this

Date/Time Name Value

26/6/2014 1:00 Foo 10
26/6/2014 2:00 foo 100 ..................Highest value of the day
26/6/2014 3:00 foo 0
..
...
..
26/6/2014 24:00 foo 0
27/6/2014 00:00 foo 0
.....
...............
..................
27/6/2014 8:00 foo 50
27/6/2014 9:00 foo 150 ................................. highest value of the day
......................
...................
27/6/2014 24:00 foo 0
28/6/2014 00:00 foo 0
........................
...........................

28/6/2014 12:00 foo 100
28/6/2014 13:00 foo 160 ..............................Highest value of the day
............................
.....................

I want the output and it would be looks

Date/Time Name Value

26/6/2014 1:00 Foo 10
26/6/2014 2:00 foo 100 ..................Highest value of the day
26/6/2014 3:00 foo 0+100
.26/6/2014 4:00 foo 0+100.
...
26/6/2014 22:00 foo 0+100
26/6/2014 23:00 foo 0+100.
26/6/2014 24:00 foo 0+100
27/6/2014 00:00 foo 0+100 ( This Value 100 is highest value of 26th date need to add on next date value)
27/6/2014 01:00 foo 0+100
.....
...............
..................
27/6/2014 06:00 foo 0+100
27/6/2014 07:00 foo 0+100
27/6/2014 08:00 foo 50+100
27/6/2014 09:00 foo 150 +100................................. highest value of the day
......................
...................
27/6/2014 24:00 foo 0+150+100
28/6/2014 00:00 foo 0+150+100 ( This Value 150+100= 250 is highest value on 27th date need to add on next date values)
28/6/2014 01:00 foo 0+150+100
........................
...........................
28/6/2014 10:00 foo 0+150+100
28/6/2014 11:00 foo 0+150+100
28/6/2014 12:00 foo 100+150+100
28/6/2014 13:00 foo 160 +150+100..............................Highest value of the day
28/6/2014 14:00 foo 0+160 +150+100.
28/6/2014 15:00 foo 0+160 +150+100.
28/6/2014 16:00 foo 0+160 +150+100.
..................................
....................................
..........................................
28/6/2014 24:00 foo 0+160 +150+100.( This Value 160+150+100= 410 is highest value on 28th date need to add on next date values)...
so...on

How to do search query for the above table.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎08-05-2015 08:58 AM

See if this is what you want. Use _internal data for scheduler sourcetype. This should work on any Splunk instance. 

index=_internal sourcetype=scheduler earliest=-3d | bucket span=1h _time | stats count by _time sourcetype | eval Day=strftime(_time,"%Y-%m-%d")  | eventstats max(count) as max by Day sourcetype | eval max=if(max=count,max,0) | eval DayMax=max | accum max | eval newcount=max+count | fields - Day max
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...