Splunk Search
Highlighted

How to calculate the "Moving" sum of the last 52 weeks?

Path Finder

Splunkers!
I have a new problem I'm not able to solve, I hope you can help me...

Basically, I'm counting the number of incidents occurring on weekly basis related to the last 2 years (events beginning in Jan 2016):

...
| eval dateweek_year=strftime(_time,"%Y-%U")    
| chart count as Num_Incidents over dateweek_year

Now, I'd like to present the outcome as "moving sum" of the last 52 weeks, starting from Jan 2017.
So 01-2017 period has to show the sum of incidents from 02-2016 to 01-2017,
02-2017 from 03-2016 to 02-2017
etc...

Any help?

I've no clue about how to do it...

Eventstats/Streamstats should help?

Tks!
Carmine

0 Karma
Highlighted

Re: How to calculate the "Moving" sum of the last 52 weeks?

Legend

@CarmineCalo, Please try the following and confirm

 <YourBaseSearch>
| eval dateweek_year=strftime(_time,"%Y-%U")    
| chart count as Num_Incidents over dateweek_year
| accum Num_Incidents 



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to calculate the "Moving" sum of the last 52 weeks?

SplunkTrust
SplunkTrust

hey I think you want something like this

<your_base_search> 
| eval dateweek_year=strftime(_time,"%Y-%U") 
| chart count as Num_Incidents over dateweek_year 
| streamstats sum(Num_Incidents) as "Moving_SUM" window=52

So, you will get cumulative sum of last 52 weeks at any point of time.
let me know if this helps!

View solution in original post

0 Karma
Highlighted

Re: How to calculate the "Moving" sum of the last 52 weeks?

Path Finder

This option works, great 🙂

Tks!
Carmine

0 Karma