Hey Splunk gang,
I have a dashboard that I am creating and it will ingest a file every 5 minutes. I need to create a search that will accumulate the value of an extracted field. ie.) Extracted field = ACA, and it comes in the first time at 10, and then the second time(5 minutes later) at 15 and the dashboard displays 25. Ideally in a single value panel.
Here is the search that produces the original value, but it does not accumulate a total:
| rename "Amt Credits Acc" as "ACA"
| fieldformat ACA = ("$".ACA)
| table "ACA"
Your search needs a little work.
To calculate a total you'll need to use stats:
https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Stats
And when using fieldformat you'll have to call a function:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/SearchReference/Fieldformat
Both pages have excellent examples that are very close to what you're trying to accomplish.
Your search needs a little work.
To calculate a total you'll need to use stats:
https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Stats
And when using fieldformat you'll have to call a function:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/SearchReference/Fieldformat
Both pages have excellent examples that are very close to what you're trying to accomplish.