Splunk Search

How to search the cumulative sum for multiple fields and chart them by day?

theouhuios
Motivator

Hello

I am trying to get a cumulative sum of multiple fields and then chart them. Problem is, I can use accum on only ONE field at a time. The fields are dynamic, so I need something which will calculate the cumulative value for fields which start with AWS-*

The fields look like below
alt text

There can be other tags too like AWS-S3 etc depending on the filters which people pick. So Is there a way to get a cumulative value of each field as its own field ( cumulative value of AWs-EC2 as accum _AWS-EC2etc) ?

Search:

 index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag|accum AWS-EC2 as accum_AWS-EC2|accum AWS-EMR as accum_AWS-EMR

UPDATE: Updated the question. I am trying to get the cumulative value by Day

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

... | streamstats sum(AWS-*)

or this:

... | stats sum(AWS-*)

View solution in original post

0 Karma

woodcock
Esteemed Legend

This will work:

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | streamstats current=t sum(AWS*) BY _time

But I think you are not looking for a running total (which is what accum and streamstats do) but rather a daily sum, right? If so then do this:

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | stats sum(AWS*) BY _time

Or, to keep the table as-is and just add a column, do this

  index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag | reverse | eventstats sum(AWS*) BY _time
0 Karma

ngatchasandra
Builder

Try also with accum command which create a cumulative sum:

 ....| accum sum AWS-* as AWS-*_accum |timechart    AWS-*_accum  span=1d 
0 Karma

fdi01
Motivator

try like:

...| bucket _time span=1d |streamstats sum(AWS-*) by _time |

0 Karma

theouhuios
Motivator

This wouldn't work . If I do it after the timechart it would give me the same value since at a given _time value there is only one corresponding AWS-EC2 or AWS-EMR value. If I do this before my timechart, there is no field called AWS-*

0 Karma

woodcock
Esteemed Legend

OK, based on your clarification, do this:

... | bucket _time span=1d | stats sum(AWS-*) by _time | addcoltotals

Or this (still not sure if you need accum or sum):

... | bucket _time span=1d | streamstats sum(AWS-*) by _time

The bucket part may not be necessary (if your data matches what you show).

0 Karma

theouhuios
Motivator

Updated the question with the search. AWs-* field are basically values of field called ProductName.

0 Karma

theouhuios
Motivator

addcoltotals will give me a cumulative value for all the fields.. Problem is I need it to add by day.. Like accum which keeps adding the field above the the current field and keeps going on. This would basically give me the TOTAL cost till that day, for everyday.

0 Karma

ngatchasandra
Builder

Hi,

Try with

....| streamstats sum(AWS-*) as AWS-*_accum |timechart    AWS-*_accum  span=1d 
0 Karma

theouhuios
Motivator

Sorry, I should have been more Clear. I need to get a cumulative value by each day so that I can just chart the cumulative values of all AWS-* , stack them up which would give the total value for the day along with the ProductName.

0 Karma

DavidHourani
Super Champion

What search command are you currently using ?

0 Karma

theouhuios
Motivator

Updated the search

0 Karma

woodcock
Esteemed Legend

Try this:

... | streamstats sum(AWS-*)

or this:

... | stats sum(AWS-*)
0 Karma

theouhuios
Motivator

Amazing. Such a simple function and it solved the issue.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...