Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to generate an accumulating total bucketed by day per user?

mjones414
Contributor
‎04-12-2023 03:49 PM

Hello,

Im trying to accumulate and analyze a persons risk score every day, once per day, and only fire when the total score for a given user esceeds a pre-determined threshold for that amount of time has been exceeded.

for example, if I have a threshold chart for:
1 day
1 week
2 weeks
3 weeks
1 month
2 months 
3 months 
etc

I want a running total of the all the persons generated risk, but I only want to review it when the accumulated total exceeds the threshold for the given period of time


index=summary_events 
|bin _time span=1d
|table _time,user,base_score

   | timechart useother=f span=1d sum(base_score) as total_score by user
didnt produce the results I was expecting because it was only giving me the totals for that day, but not the accumulated total.

the accum command doesn't seem to take a by clause.  

kind of striking out on how to properly approach this.  would love some suggestions?

 

 

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎04-12-2023 03:57 PM

index="_internal" AND "metrics" AND "kb"
| rename kb AS base_score
| rename host AS user
| reverse
| bin _time span=1d
| streamstats sum(base_score) AS accumulated_score BY user
| timechart useother=f span=1d first(accumulated_score) AS accumulated_score BY user

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...