Splunk Search

Running Total

Michael_Schyma1
Contributor

I am trying to get a running total for the number of events field. I can not get a column that adds up every 'number of events' or a running total anywhere at the bottom. Any Suggestions??

Heres my search:

*- fields + app_name, app_id |top app_id app_name |rename app_id AS "App Code" app_name AS "Application Name" count AS "Number of Events" percent AS "Percent"

Tags (3)
0 Karma
1 Solution

Ayn
Legend

From the docs on accum:

accum
Keeps a running total of a specified numeric field.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Accum

View solution in original post

Ayn
Legend

From the docs on accum:

accum
Keeps a running total of a specified numeric field.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Accum

rturk
Builder

Nice! Another command that I wasn't previously aware existed 🙂

0 Karma

rturk
Builder

Just as a suggestion, this search does a count for events with two distinct values, adds them together, and has the total as a new column.

 | stats count(eval(product="abc")) AS abc_count, count(eval(product="xyz")) AS xyz_count by product | eval total_products=abc_count+xyz_count  | sort -total_products

Sorry if this isn't what you're looking for, but hopefully it helps in some way.

Also you might want to remove the regex tag.. I don't think this has much to do with regular expressions 😉

0 Karma

Michael_Schyma1
Contributor

Sorry about that, i am not sure how that got there.

0 Karma

Michael_Schyma1
Contributor

so there is no way to just add a field that will give me a running total for all the events that I am searching for. When i add the sum feature it just takes me to a different screen and then gives me a total instead of having all the information listed and totaling in a different field. Thank you for your help, just having a hard time getting it to work.

0 Karma

Michael_Schyma1
Contributor

yes, but it does not add a seperate column that just has the total of all the counts

0 Karma

Drainy
Champion

so you need to use a | stats sum(count) ?

Michael_Schyma1
Contributor

They are existing fields, I need a total of the top events. Not just each individual event

0 Karma

Drainy
Champion

What about the part that generates the statistics? (the count and percent part) unless they are existing fields?

0 Karma

Michael_Schyma1
Contributor

Just a portion of it.. I left off the index and the sourcetype because i didnt think it would be needed.

0 Karma

Drainy
Champion

+1 Ayn, you'll need to copy and paste your whole search directly if you want any useful help.

0 Karma

Ayn
Legend

I doubt that is really your search. Did you paste the whole search or just portions of it?

Michael_Schyma1
Contributor

any help would be appreachated

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...