- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to reset an accum command
I am looking to create a timechart. I have a base search that adds or subtracts "1" when certain events occur:
eval x=if(match(field_1,"xxx"),1,-1)
Then I accumulate them with:
| accum x AS total_x |
The problem is that there is another type of event "event_y". When this type of event occurs, I need to reset "total_x" to 0 and have it start accumulating again. I've been trying:
eval reset=if(match(field_2,"event_y"),total_x=0,total_x)
And then using that to create a timechart
Any suggestions as to how I can make the accum reset?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its took me a while to come up with this. Please see if something like this helps
<pre search> | eval x = if(match(field_1,"XXX"),1,if(match(field_1,"YYY"),0,-1)) | accum x AS total_x | table _time,field_1,x,total_x | eval y = if(x=0,total_x,NULL) |filldown y | fillnull value=0 y | delta y as z | eval z = if(z=0,NULL,z) | eval w = coalesce(z,x) | eval w = if(x=0,0-w,w)| accum w as total_w
Here total_w column would be your requested re-setted accum count.
where XXX is where the we assume 1 is added and YYY is event where after the reset is required
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know much about Splunk or how to write commands, but if your event_y fires, couldn't you multiply total_x by 0?
