Re: How to represent fluctuating values?

pipipipi · ‎05-25-2020

Hi all,

I have this search:

|table a b date
|eval c=a-b
|stats sum(*) as * by date date a b c
2019-01 5 3 2
2019-02 4 3 1
2019-03 3 2 1
2019-04 6 3 3

I want to make it like this:

Date d a b c

2019-01 0  5 3 2 
2019-02 2  4 3 3 
2019-03 3  3 2 4
2019-04 4  6 3 7

My formula is this:

a-b=c

Next month, I want to add c value, like this:

(c+a)-b=x
next month
(x+a)-b=y
(y+a)-b=z

......

I can understand this formula, but I can not express it in Splunk.
Do you have any ideas?

Thank you for helping.

niketn · ‎05-25-2020

@pipipipi check out the accum command in Splunk Documentation. You just need to add | accum c as d to your existing search. However, there can be some performance improvements (refer below):

   <yourSearchToFetchData>
  | fields a b date
  | stats sum(a) as a  sum(b) as b by date
  | eval c=a-b
  | accum c as d

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to represent fluctuating values?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How to represent fluctuating values?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey