Splunk Search

How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

Sukisen1981
Champion

I have a reqquirement as follows:
I have a time chart with 3 fields
A,B,C

C=A-B+previous value of C in row immediately above.

Example:

1st Row              A     B    C
                     8     3    5
2nd row and so on    A     B    C
                     6     7    4(6-7+5)

Now, I have built the time chart using accum C, defining eval C=A-B...which woks perfectly, question is - this is continuous data from 3 years back. For example, if I am asked to show a timechart / time wise depiction for say last 3 weeks - till now.... the chart breaks down, as the accumulation for the first row 3 weeks ago just takes A-B, whereas it should take the accumulated value of C from the immediate row above. However, since the chart is now being pulled from 3 weeks ago, it does not find any accumulated value of for the 1st row for 3 week old data pull.

In other words - is there a way to limit timechart to just visually start from any point in the past BUT somehow use the running total/accumulated value as a starting input while limiting the time chart?

Tags (3)
0 Karma
1 Solution

Sukisen1981
Champion

Hi gals n guys - Sorry please disregard this , i found out what I wanted.

Took the total index query at first, placed join on _time with the later , later being selected for last 3 weeks.
_time columns join worked of course and the values from the first join for the common (last 3 weeks) flowed into the common join table. Just did some last clean up with fields - and removed a couple of columns from the second join that I did no need.

But makes me wonder is there a way to suppress first N rows returned from a timechart without condition by just specifying N - number of rows needed to be removed..could be 1 could be 5/6 etc.

View solution in original post

0 Karma

sundareshr
Legend

How are you going to specify N? To suppress the first N rows, you can do reverse | head N | reverse where N=Total-N

0 Karma

Sukisen1981
Champion

This works well..N is passed from a filter where user enters the past number of weeks he/she wants to see the results from..thanks a lot! answer accepted, query looks much smaller and trimmer by your solution.

0 Karma

Sukisen1981
Champion

what is the more efficient way, though? both the solutions work but in the long run which will put less load on the search?

0 Karma

Sukisen1981
Champion

Hi gals n guys - Sorry please disregard this , i found out what I wanted.

Took the total index query at first, placed join on _time with the later , later being selected for last 3 weeks.
_time columns join worked of course and the values from the first join for the common (last 3 weeks) flowed into the common join table. Just did some last clean up with fields - and removed a couple of columns from the second join that I did no need.

But makes me wonder is there a way to suppress first N rows returned from a timechart without condition by just specifying N - number of rows needed to be removed..could be 1 could be 5/6 etc.

0 Karma

Sukisen1981
Champion

what is the more efficient way, though? both the solutions work but in the long run which will put less load on the search?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...