Splunk Search
Highlighted

How to search the cumulative sum for multiple fields and chart them by day?

Motivator

Hello

I am trying to get a cumulative sum of multiple fields and then chart them. Problem is, I can use accum on only ONE field at a time. The fields are dynamic, so I need something which will calculate the cumulative value for fields which start with AWS-*

The fields look like below
alt text

There can be other tags too like AWS-S3 etc depending on the filters which people pick. So Is there a way to get a cumulative value of each field as its own field ( cumulative value of AWs-EC2 as accum _AWS-EC2etc) ?

Search:

 index=blah sourcetype=blah  source="*blah-*"  Center=ABC123|timechart span=1d sum(UnBlendedCost) as Cost by ProductName_Tag|accum AWS-EC2 as accum_AWS-EC2|accum AWS-EMR as accum_AWS-EMR

UPDATE: Updated the question. I am trying to get the cumulative value by Day

Tags (3)
0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

Esteemed Legend

Try this:

... | streamstats sum(AWS-*)

or this:

... | stats sum(AWS-*)

View solution in original post

0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

Motivator

Amazing. Such a simple function and it solved the issue.

0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

Motivator

Sorry, I should have been more Clear. I need to get a cumulative value by each day so that I can just chart the cumulative values of all AWS-* , stack them up which would give the total value for the day along with the ProductName.

0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

SplunkTrust
SplunkTrust

What search command are you currently using ?

0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

Motivator

Updated the search

0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

Hi,

Try with

....| streamstats sum(AWS-*) as AWS-*_accum |timechart    AWS-*_accum  span=1d 
0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

Esteemed Legend

OK, based on your clarification, do this:

... | bucket _time span=1d | stats sum(AWS-*) by _time | addcoltotals

Or this (still not sure if you need accum or sum):

... | bucket _time span=1d | streamstats sum(AWS-*) by _time

The bucket part may not be necessary (if your data matches what you show).

0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

Motivator

Updated the question with the search. AWs-* field are basically values of field called ProductName.

0 Karma
Highlighted

Re: How to search the cumulative sum for multiple fields and chart them by day?

Motivator

addcoltotals will give me a cumulative value for all the fields.. Problem is I need it to add by day.. Like accum which keeps adding the field above the the current field and keeps going on. This would basically give me the TOTAL cost till that day, for everyday.

0 Karma