Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create A new field which creates accumulative results from current and previous records of different field

priyaramki16
Path Finder
‎06-16-2020 02:52 AM

I have a two fields Calendar_week, Count...

I am trying to create a New field as Cumulative count which will add the previous cumulative count with Current Count.

For eg 

Calender_week----Count----Cumulative_Count

1                              ---- 0        ----0

2                              ---- 1       ----1

3                             ---- 2       ----3

 

Is there a search which could do this..

Thanks

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎06-16-2020 02:59 AM

Hi @priyaramki16 ,

 

Take a look at streamstats: 

https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Streamstats

In your case, something like the following should do the trick:

 

your query here
| sort limit=0 "Calendar Week"
| streamstats sum(count) as Cumulative_Count

 

 

 

Hope that helps

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎06-16-2020 02:59 AM

Hi @priyaramki16 ,

 

Take a look at streamstats: 

https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Streamstats

In your case, something like the following should do the trick:

 

your query here
| sort limit=0 "Calendar Week"
| streamstats sum(count) as Cumulative_Count

 

 

 

Hope that helps

Reply
Solved! Jump to solution

priyaramki16
Path Finder
‎06-16-2020 03:29 AM

Hi @javiergn ...the query you suggested produced a field which is same as count but with first row not filled...

the addition did not happen

priyaramki16_0-1592303324342.png

 

0 Karma
Reply
Solved! Jump to solution

javiergn
SplunkTrust
SplunkTrust
‎06-16-2020 06:27 AM

Hi @priyaramki16 ,

 

I made a typo on my answer as I didn't have a lab to check my syntax. See the answer above again.

By the way, make sure your sort is working fine as there seems to be a trailing space in your query between "Calendar" and "Week"

0 Karma
Reply
Solved! Jump to solution

priyaramki16
Path Finder
‎06-16-2020 06:43 AM

Thanks!! It worked!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...