Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use accum with timechart?

Abass42
Communicator
‎05-11-2023 12:07 PM

Hey, I had a quick question about my splunk search that doesnt work. Im using timechart and was wanting to display the single value visualization while having that sparkline. On some of these forum posts, i saw where they were using accum right after timechart, but my visualization just displays one of the values, im wanting it to accumulate while showing the sparkline. 

 

Abass42_0-1683831313396.png

 

 heres the code im using: 

 

 

index=ironport source="/export/var/splunk/ironport/mail/*"
| rex "((?<Domain>((@[a-zA-Z0-9._-]+\.[a-zA-Z0-9_-]+))))"  
| search Domain="@mail321.bluematrix.com"
| stats values(src_user) as src_user values(recipient) as recipient values(size) as msg_size values(_time) as _time values(eval(lower(Domain))) as Domain by MID
| eval Total_MB_Sent=msg_size/1024/1024
|table _time, Domain, Total_MB_Sent
| timechart span=1hr   sum(Total_MB_Sent) AS MSG_Sum by Domain
| accum MSG_Sum

 

 

 

I think its just updating the value shown, but it isnt accumulating. Any help would be appreciated. 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-11-2023 09:54 PM

Hi @Abass42 

As soon as you use a group by clause in timechart the field headers become the group by result - in your case a domain name.  The accum would need to the domain field name as MSG_Sum does not exist due to the by clause grouping.

As the single value viz only shows the last value of the first column (other than _time) anyway, then there is no point having a domain group by.  So, this is what you would use... 

 

index=ironport source="/export/var/splunk/ironport/mail/*"
| rex "((?<Domain>((@[a-zA-Z0-9._-]+\.[a-zA-Z0-9_-]+))))"  
| search Domain="@mail321.bluematrix.com"
| stats values(src_user) as src_user values(recipient) as recipient values(size) as msg_size values(_time) as _time values(eval(lower(Domain))) as Domain by MID
| eval Total_MB_Sent=msg_size/1024/1024
|table _time, Domain, Total_MB_Sent
| timechart span=1hr   sum(Total_MB_Sent) AS MSG_Sum
| accum MSG_Sum

 

If you have different domains to display, then individually filter them before the timechart command, like this...

... your search ...
| table _time, Domain, Total_MB_Sent
| search Domain=<your domain>
| timechart span=1hr sum(Total_MB_Sent) AS MSG_Sum
| accum MSG_Sum

 Or if you no the domain name then you can use accum <domain>, instead when using the group by clause.

Hope that makes sense and helps

View solution in original post

Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎05-11-2023 09:54 PM

Hi @Abass42 

As soon as you use a group by clause in timechart the field headers become the group by result - in your case a domain name.  The accum would need to the domain field name as MSG_Sum does not exist due to the by clause grouping.

As the single value viz only shows the last value of the first column (other than _time) anyway, then there is no point having a domain group by.  So, this is what you would use... 

 

index=ironport source="/export/var/splunk/ironport/mail/*"
| rex "((?<Domain>((@[a-zA-Z0-9._-]+\.[a-zA-Z0-9_-]+))))"  
| search Domain="@mail321.bluematrix.com"
| stats values(src_user) as src_user values(recipient) as recipient values(size) as msg_size values(_time) as _time values(eval(lower(Domain))) as Domain by MID
| eval Total_MB_Sent=msg_size/1024/1024
|table _time, Domain, Total_MB_Sent
| timechart span=1hr   sum(Total_MB_Sent) AS MSG_Sum
| accum MSG_Sum

 

If you have different domains to display, then individually filter them before the timechart command, like this...

... your search ...
| table _time, Domain, Total_MB_Sent
| search Domain=<your domain>
| timechart span=1hr sum(Total_MB_Sent) AS MSG_Sum
| accum MSG_Sum

 Or if you no the domain name then you can use accum <domain>, instead when using the group by clause.

Hope that makes sense and helps

Reply
Solved! Jump to solution

Abass42
Communicator
‎05-12-2023 07:23 AM

Wow. I tried multiple variations of that query, and one of them at some point i thought was what you suggested, but apparently not. Your query worked like a charm. Thank you. I appreciate your help. 🤝

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...