Solved: Splunk running total

Anesthetize · ‎08-25-2021

Hey Splunk gang,

I have a dashboard that I am creating and it will ingest a file every 5 minutes. I need to create a search that will accumulate the value of an extracted field. ie.) Extracted field = ACA, and it comes in the first time at 10, and then the second time(5 minutes later) at 15 and the dashboard displays 25. Ideally in a single value panel.

Here is the search that produces the original value, but it does not accumulate a total:

| rename "Amt Credits Acc" as "ACA"
| fieldformat ACA = ("$".ACA)
| table "ACA"

codebuilder · ‎08-25-2021

Your search needs a little work.
To calculate a total you'll need to use stats:
https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Stats

And when using fieldformat you'll have to call a function:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/SearchReference/Fieldformat

Both pages have excellent examples that are very close to what you're trying to accomplish.

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

codebuilder · ‎08-25-2021

Your search needs a little work.
To calculate a total you'll need to use stats:
https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Stats

And when using fieldformat you'll have to call a function:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/SearchReference/Fieldformat

Both pages have excellent examples that are very close to what you're trying to accomplish.

----
An upvote would be appreciated and Accept Solution if it helps!

Splunk running total

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

Splunk running total

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience