Splunk Search

How to use a running total/accumulated value as a starting input for a timechart, but not display this data point?

Sukisen1981
Champion

I have a reqquirement as follows:
I have a time chart with 3 fields
A,B,C

C=A-B+previous value of C in row immediately above.

Example:

1st Row              A     B    C
                     8     3    5
2nd row and so on    A     B    C
                     6     7    4(6-7+5)

Now, I have built the time chart using accum C, defining eval C=A-B...which woks perfectly, question is - this is continuous data from 3 years back. For example, if I am asked to show a timechart / time wise depiction for say last 3 weeks - till now.... the chart breaks down, as the accumulation for the first row 3 weeks ago just takes A-B, whereas it should take the accumulated value of C from the immediate row above. However, since the chart is now being pulled from 3 weeks ago, it does not find any accumulated value of for the 1st row for 3 week old data pull.

In other words - is there a way to limit timechart to just visually start from any point in the past BUT somehow use the running total/accumulated value as a starting input while limiting the time chart?

Tags (3)
0 Karma
1 Solution

Sukisen1981
Champion

Hi gals n guys - Sorry please disregard this , i found out what I wanted.

Took the total index query at first, placed join on _time with the later , later being selected for last 3 weeks.
_time columns join worked of course and the values from the first join for the common (last 3 weeks) flowed into the common join table. Just did some last clean up with fields - and removed a couple of columns from the second join that I did no need.

But makes me wonder is there a way to suppress first N rows returned from a timechart without condition by just specifying N - number of rows needed to be removed..could be 1 could be 5/6 etc.

View solution in original post

0 Karma

sundareshr
Legend

How are you going to specify N? To suppress the first N rows, you can do reverse | head N | reverse where N=Total-N

0 Karma

Sukisen1981
Champion

This works well..N is passed from a filter where user enters the past number of weeks he/she wants to see the results from..thanks a lot! answer accepted, query looks much smaller and trimmer by your solution.

0 Karma

Sukisen1981
Champion

what is the more efficient way, though? both the solutions work but in the long run which will put less load on the search?

0 Karma

Sukisen1981
Champion

Hi gals n guys - Sorry please disregard this , i found out what I wanted.

Took the total index query at first, placed join on _time with the later , later being selected for last 3 weeks.
_time columns join worked of course and the values from the first join for the common (last 3 weeks) flowed into the common join table. Just did some last clean up with fields - and removed a couple of columns from the second join that I did no need.

But makes me wonder is there a way to suppress first N rows returned from a timechart without condition by just specifying N - number of rows needed to be removed..could be 1 could be 5/6 etc.

0 Karma

Sukisen1981
Champion

what is the more efficient way, though? both the solutions work but in the long run which will put less load on the search?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...