Re: How to represent fluctuating values?

pipipipi · ‎05-25-2020

Hi all,

I have this search:

|table a b date
|eval c=a-b
|stats sum(*) as * by date date a b c
2019-01 5 3 2
2019-02 4 3 1
2019-03 3 2 1
2019-04 6 3 3

I want to make it like this:

Date d a b c

2019-01 0  5 3 2 
2019-02 2  4 3 3 
2019-03 3  3 2 4
2019-04 4  6 3 7

My formula is this:

a-b=c

Next month, I want to add c value, like this:

(c+a)-b=x
next month
(x+a)-b=y
(y+a)-b=z

......

I can understand this formula, but I can not express it in Splunk.
Do you have any ideas?

Thank you for helping.

niketn · ‎05-25-2020

@pipipipi check out the accum command in Splunk Documentation. You just need to add | accum c as d to your existing search. However, there can be some performance improvements (refer below):

   <yourSearchToFetchData>
  | fields a b date
  | stats sum(a) as a  sum(b) as b by date
  | eval c=a-b
  | accum c as d

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to represent fluctuating values?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation