Re: How to reset an accum command

billyp5 · ‎11-20-2014

I am looking to create a timechart. I have a base search that adds or subtracts "1" when certain events occur:

eval x=if(match(field_1,"xxx"),1,-1)

Then I accumulate them with:

| accum x AS total_x |

The problem is that there is another type of event "event_y". When this type of event occurs, I need to reset "total_x" to 0 and have it start accumulating again. I've been trying:

eval reset=if(match(field_2,"event_y"),total_x=0,total_x)

And then using that to create a timechart

Any suggestions as to how I can make the accum reset?

adityapavan18 · ‎12-25-2014

Its took me a while to come up with this. Please see if something like this helps

<pre search>  | eval x = if(match(field_1,"XXX"),1,if(match(field_1,"YYY"),0,-1))  | accum x AS total_x | table _time,field_1,x,total_x | eval y = if(x=0,total_x,NULL)  |filldown y | fillnull value=0 y | delta y as z | eval z = if(z=0,NULL,z) | eval w = coalesce(z,x) | eval w = if(x=0,0-w,w)| accum w as total_w

Here total_w column would be your requested re-setted accum count.

where XXX is where the we assume 1 is added and YYY is event where after the reset is required

TaylorWhitt · ‎12-24-2014

I don't know much about Splunk or how to write commands, but if your event_y fires, couldn't you multiply total_x by 0?

How to reset an accum command

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Splunk and Fraud