Re: How to represent fluctuating values?

pipipipi · ‎05-25-2020

Hi all,

I have this search:

|table a b date
|eval c=a-b
|stats sum(*) as * by date date a b c
2019-01 5 3 2
2019-02 4 3 1
2019-03 3 2 1
2019-04 6 3 3

I want to make it like this:

Date d a b c

2019-01 0  5 3 2 
2019-02 2  4 3 3 
2019-03 3  3 2 4
2019-04 4  6 3 7

My formula is this:

a-b=c

Next month, I want to add c value, like this:

(c+a)-b=x
next month
(x+a)-b=y
(y+a)-b=z

......

I can understand this formula, but I can not express it in Splunk.
Do you have any ideas?

Thank you for helping.

niketn · ‎05-25-2020

@pipipipi check out the accum command in Splunk Documentation. You just need to add | accum c as d to your existing search. However, there can be some performance improvements (refer below):

   <yourSearchToFetchData>
  | fields a b date
  | stats sum(a) as a  sum(b) as b by date
  | eval c=a-b
  | accum c as d

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to represent fluctuating values?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation