Splunk Search

How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

Champion

I have a reqquirement as follows:
I have a time chart with 3 fields
A,B,C

C=A-B+previous value of C in row immediately above.

Example:

``````1st Row              A     B    C
8     3    5
2nd row and so on    A     B    C
6     7    4(6-7+5)
``````

Now, I have built the time chart using accum C, defining eval C=A-B...which woks perfectly, question is - this is continuous data from 3 years back. For example, if I am asked to show a timechart / time wise depiction for say last 3 weeks - till now.... the chart breaks down, as the accumulation for the first row 3 weeks ago just takes A-B, whereas it should take the accumulated value of C from the immediate row above. However, since the chart is now being pulled from 3 weeks ago, it does not find any accumulated value of for the 1st row for 3 week old data pull.

In other words - is there a way to limit timechart to just visually start from any point in the past BUT somehow use the running total/accumulated value as a starting input while limiting the time chart?

Tags (3)
1 Solution
Champion

Hi gals n guys - Sorry please disregard this , i found out what I wanted.

Took the total index query at first, placed join on _time with the later , later being selected for last 3 weeks.
_time columns join worked of course and the values from the first join for the common (last 3 weeks) flowed into the common join table. Just did some last clean up with fields - and removed a couple of columns from the second join that I did no need.

But makes me wonder is there a way to suppress first N rows returned from a timechart without condition by just specifying N - number of rows needed to be removed..could be 1 could be 5/6 etc.

Legend

How are you going to specify N? To suppress the first N rows, you can do `reverse | head N | reverse` where `N=Total-N`

Champion

This works well..N is passed from a filter where user enters the past number of weeks he/she wants to see the results from..thanks a lot! answer accepted, query looks much smaller and trimmer by your solution.

Champion

what is the more efficient way, though? both the solutions work but in the long run which will put less load on the search?

Champion

Hi gals n guys - Sorry please disregard this , i found out what I wanted.

Took the total index query at first, placed join on _time with the later , later being selected for last 3 weeks.
_time columns join worked of course and the values from the first join for the common (last 3 weeks) flowed into the common join table. Just did some last clean up with fields - and removed a couple of columns from the second join that I did no need.

But makes me wonder is there a way to suppress first N rows returned from a timechart without condition by just specifying N - number of rows needed to be removed..could be 1 could be 5/6 etc.

Champion

what is the more efficient way, though? both the solutions work but in the long run which will put less load on the search?

Get Updates on the Splunk Community!