Solved: Re: Set limit to Accum value

weihtee · ‎03-11-2014

I have a list of +1 and -1 that I would like to sum them up as events happen, but I do not want the sum to go below 0. If the current sum is 0 and the new variable is -1, it will simply remain at 0. Any idea how to do this?
Eg.
n sum
1 1
-1 0
-1 0
-1 0
1 1
1 2
-1 1
Thank you

rakesh_498115 · ‎03-12-2014

Hi Weihtee,

You can use the where condition to emlinate counting those -1's like below,

[your search] | where n > 0 | accum n as sum | table n,sum

Hope this Helps !!

View solution in original post

rakesh_498115 · ‎03-12-2014

Hi Weihtee,

You can use the where condition to emlinate counting those -1's like below,

[your search] | where n > 0 | accum n as sum | table n,sum

Hope this Helps !!

rakesh_498115 · ‎03-12-2014

ok..in the case a simple eval statement would do the trick for u.

[your search] | accum n as sum | eval sum = if(sum<0,0,sum) | table n,sum

this will not let sum below 0 🙂

weihtee · ‎03-12-2014

Hi thanks, but I need the -1's since if the sum is any number above 0, it is still useful( eg 4, it would get the sum to 4-1=3)
I just need the sum to not go below 0 🙂

Set limit to Accum value

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?

Set limit to Accum value

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025