I have some data like so
Day | Count
1 | 200
2 | 200
3 | 300
4 | 100
5 | 200
... | ...
I can graph a timechart in normal way: SEARCH | timechart span=1d count
However, I now want a bar graph with a rolling count for 3 days
1 + 2 + 3 | 700
2 + 3 + 4 | 600
3 + 4 + 5 | 600
Is there any built in Splunk commands that can do this? How can I go about building a search for this use-case?
This is exactly what streamstats is for. Replace your timechart segment with the following.
... | bin _time span=1d | stats count as count by _time | streamstats window=3 current=t count as RunningCount | fields _time count RunningCount
You can then compare the running total to the individual total and adjust names as needed.
View solution in original post