Solved: Re: How to search the cumulative sum for multiple ...

theouhuios · ‎06-30-2015

Hello

I am trying to get a cumulative sum of multiple fields and then chart them. Problem is, I can use accum on only ONE field at a time. The fields are dynamic, so I need something which will calculate the cumulative value for fields which start with AWS-*

The fields look like below

There can be other tags too like AWS-S3 etc depending on the filters which people pick. So Is there a way to get a cumulative value of each field as its own field ( cumulative value of AWs-EC2 as accum _AWS-EC2etc) ?

Search:

 index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag|accum AWS-EC2 as accum_AWS-EC2|accum AWS-EMR as accum_AWS-EMR

UPDATE: Updated the question. I am trying to get the cumulative value by Day

woodcock · ‎06-30-2015

Try this:

... | streamstats sum(AWS-*)

or this:

... | stats sum(AWS-*)

View solution in original post

woodcock · ‎06-30-2015

This will work:

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | streamstats current=t sum(AWS*) BY _time

But I think you are not looking for a running total (which is what accum and streamstats do) but rather a daily sum, right? If so then do this:

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | stats sum(AWS*) BY _time

Or, to keep the table as-is and just add a column, do this

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | eventstats sum(AWS*) BY _time

ngatchasandra · ‎06-30-2015

Try also with accum command which create a cumulative sum:

 ....| accum sum AWS-* as AWS-*_accum |timechart    AWS-*_accum  span=1d

fdi01 · ‎06-30-2015

try like:

...| bucket _time span=1d |streamstats sum(AWS-*) by _time |

theouhuios · ‎06-30-2015

This wouldn't work . If I do it after the timechart it would give me the same value since at a given _time value there is only one corresponding AWS-EC2 or AWS-EMR value. If I do this before my timechart, there is no field called AWS-*

woodcock · ‎06-30-2015

OK, based on your clarification, do this:

... | bucket _time span=1d | stats sum(AWS-*) by _time | addcoltotals

Or this (still not sure if you need accum or sum):

... | bucket _time span=1d | streamstats sum(AWS-*) by _time

The bucket part may not be necessary (if your data matches what you show).

theouhuios · ‎06-30-2015

Updated the question with the search. AWs-* field are basically values of field called ProductName.

theouhuios · ‎06-30-2015

addcoltotals will give me a cumulative value for all the fields.. Problem is I need it to add by day.. Like accum which keeps adding the field above the the current field and keeps going on. This would basically give me the TOTAL cost till that day, for everyday.

ngatchasandra · ‎06-30-2015

Hi,

Try with

....| streamstats sum(AWS-*) as AWS-*_accum |timechart    AWS-*_accum  span=1d

theouhuios · ‎06-30-2015

Sorry, I should have been more Clear. I need to get a cumulative value by each day so that I can just chart the cumulative values of all AWS-* , stack them up which would give the total value for the day along with the ProductName.

DavidHourani · ‎06-30-2015

What search command are you currently using ?

theouhuios · ‎06-30-2015

Updated the search

woodcock · ‎06-30-2015

Try this:

... | streamstats sum(AWS-*)

or this:

... | stats sum(AWS-*)

theouhuios · ‎06-30-2015

Amazing. Such a simple function and it solved the issue.

How to search the cumulative sum for multiple fields and chart them by day?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?