Splunk Search
Highlighted

## How to calculate the "Moving" sum of the last 52 weeks?

Path Finder

Splunkers!
I have a new problem I'm not able to solve, I hope you can help me...

Basically, I'm counting the number of incidents occurring on weekly basis related to the last 2 years (events beginning in Jan 2016):

``````...
| eval dateweek_year=strftime(_time,"%Y-%U")
| chart count as Num_Incidents over dateweek_year
``````

Now, I'd like to present the outcome as "moving sum" of the last 52 weeks, starting from Jan 2017.
So 01-2017 period has to show the sum of incidents from 02-2016 to 01-2017,
02-2017 from 03-2016 to 02-2017
etc...

Any help?

I've no clue about how to do it...

Eventstats/Streamstats should help?

Tks!
Carmine

Tags (3)
1 Solution
Highlighted

## Re: How to calculate the "Moving" sum of the last 52 weeks?

Legend

@CarmineCalo, Please try the following and confirm

`````` <YourBaseSearch>
| eval dateweek_year=strftime(_time,"%Y-%U")
| chart count as Num_Incidents over dateweek_year
| accum Num_Incidents
``````

| eval message="Happy Splunking!!!"

Highlighted

## Re: How to calculate the "Moving" sum of the last 52 weeks?

SplunkTrust

hey I think you want something like this

``````<your_base_search>
| eval dateweek_year=strftime(_time,"%Y-%U")
| chart count as Num_Incidents over dateweek_year
| streamstats sum(Num_Incidents) as "Moving_SUM" window=52
``````

So, you will get cumulative sum of last 52 weeks at any point of time.
let me know if this helps!

Highlighted

## Re: How to calculate the "Moving" sum of the last 52 weeks?

Path Finder

This option works, great 🙂

Tks!
Carmine