Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate an accumulating total bucketed by day per user?

mjones414
Contributor
‎04-12-2023 03:49 PM

Hello,

Im trying to accumulate and analyze a persons risk score every day, once per day, and only fire when the total score for a given user esceeds a pre-determined threshold for that amount of time has been exceeded.

for example, if I have a threshold chart for:
1 day
1 week
2 weeks
3 weeks
1 month
2 months 
3 months 
etc

I want a running total of the all the persons generated risk, but I only want to review it when the accumulated total exceeds the threshold for the given period of time


index=summary_events 
|bin _time span=1d
|table _time,user,base_score

   | timechart useother=f span=1d sum(base_score) as total_score by user
didnt produce the results I was expecting because it was only giving me the totals for that day, but not the accumulated total.

the accum command doesn't seem to take a by clause.  

kind of striking out on how to properly approach this.  would love some suggestions?

 

 

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-12-2023 03:57 PM

index="_internal" AND "metrics" AND "kb"
| rename kb AS base_score
| rename host AS user
| reverse
| bin _time span=1d
| streamstats sum(base_score) AS accumulated_score BY user
| timechart useother=f span=1d first(accumulated_score) AS accumulated_score BY user

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...