Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to generate an accumulating total bucketed by day per user?

mjones414
Contributor
‎04-12-2023 03:49 PM

Hello,

Im trying to accumulate and analyze a persons risk score every day, once per day, and only fire when the total score for a given user esceeds a pre-determined threshold for that amount of time has been exceeded.

for example, if I have a threshold chart for:
1 day
1 week
2 weeks
3 weeks
1 month
2 months 
3 months 
etc

I want a running total of the all the persons generated risk, but I only want to review it when the accumulated total exceeds the threshold for the given period of time


index=summary_events 
|bin _time span=1d
|table _time,user,base_score

   | timechart useother=f span=1d sum(base_score) as total_score by user
didnt produce the results I was expecting because it was only giving me the totals for that day, but not the accumulated total.

the accum command doesn't seem to take a by clause.  

kind of striking out on how to properly approach this.  would love some suggestions?

 

 

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-12-2023 03:57 PM

index="_internal" AND "metrics" AND "kb"
| rename kb AS base_score
| rename host AS user
| reverse
| bin _time span=1d
| streamstats sum(base_score) AS accumulated_score BY user
| timechart useother=f span=1d first(accumulated_score) AS accumulated_score BY user

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...