Splunk Search

How to search the cumulative sum for multiple fields and chart them by day?

theouhuios
Motivator

Hello

I am trying to get a cumulative sum of multiple fields and then chart them. Problem is, I can use accum on only ONE field at a time. The fields are dynamic, so I need something which will calculate the cumulative value for fields which start with AWS-*

The fields look like below
alt text

There can be other tags too like AWS-S3 etc depending on the filters which people pick. So Is there a way to get a cumulative value of each field as its own field ( cumulative value of AWs-EC2 as accum _AWS-EC2etc) ?

Search:

 index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag|accum AWS-EC2 as accum_AWS-EC2|accum AWS-EMR as accum_AWS-EMR

UPDATE: Updated the question. I am trying to get the cumulative value by Day

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

... | streamstats sum(AWS-*)

or this:

... | stats sum(AWS-*)

View solution in original post

0 Karma

woodcock
Esteemed Legend

This will work:

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | streamstats current=t sum(AWS*) BY _time

But I think you are not looking for a running total (which is what accum and streamstats do) but rather a daily sum, right? If so then do this:

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | stats sum(AWS*) BY _time

Or, to keep the table as-is and just add a column, do this

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | eventstats sum(AWS*) BY _time
0 Karma

ngatchasandra
Builder

Try also with accum command which create a cumulative sum:

 ....| accum sum AWS-* as AWS-*_accum |timechart    AWS-*_accum  span=1d 
0 Karma

fdi01
Motivator

try like:

...| bucket _time span=1d |streamstats sum(AWS-*) by _time |

0 Karma

theouhuios
Motivator

This wouldn't work . If I do it after the timechart it would give me the same value since at a given _time value there is only one corresponding AWS-EC2 or AWS-EMR value. If I do this before my timechart, there is no field called AWS-*

0 Karma

woodcock
Esteemed Legend

OK, based on your clarification, do this:

... | bucket _time span=1d | stats sum(AWS-*) by _time | addcoltotals

Or this (still not sure if you need accum or sum):

... | bucket _time span=1d | streamstats sum(AWS-*) by _time

The bucket part may not be necessary (if your data matches what you show).

0 Karma

theouhuios
Motivator

Updated the question with the search. AWs-* field are basically values of field called ProductName.

0 Karma

theouhuios
Motivator

addcoltotals will give me a cumulative value for all the fields.. Problem is I need it to add by day.. Like accum which keeps adding the field above the the current field and keeps going on. This would basically give me the TOTAL cost till that day, for everyday.

0 Karma

ngatchasandra
Builder

Hi,

Try with

....| streamstats sum(AWS-*) as AWS-*_accum |timechart    AWS-*_accum  span=1d 
0 Karma

theouhuios
Motivator

Sorry, I should have been more Clear. I need to get a cumulative value by each day so that I can just chart the cumulative values of all AWS-* , stack them up which would give the total value for the day along with the ProductName.

0 Karma

DavidHourani
Super Champion

What search command are you currently using ?

0 Karma

theouhuios
Motivator

Updated the search

0 Karma

woodcock
Esteemed Legend

Try this:

... | streamstats sum(AWS-*)

or this:

... | stats sum(AWS-*)
0 Karma

theouhuios
Motivator

Amazing. Such a simple function and it solved the issue.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...