Solved: Sum of new events over time

liorfink · ‎08-23-2015

Hi all!
I'm new to Splunk and I'm having trouble making my search correct.
I've tried searching but found no case exactly like mine.

the problem:
I have a log with many 'Events', each event has a status: New/Old.
Old means it has been dealt with.
I would like to make a line-chart that will show the total number of new events over time.
My chart:

The way the chart should look:

This is what I've tried so far:
host="MyHost" Status="New" | timechart count(Status)
... | timechart sum(Status)
... | timechart sum(count(Status))

Any help will be appreciated!
Thanks!

martin_mueller · ‎08-23-2015

This should do what you need:

host="MyHost" Status="New" | timechart count | accum count

That will turn the count per timeslot into a running total.

View solution in original post

martin_mueller · ‎08-23-2015

This should do what you need:

host="MyHost" Status="New" | timechart count | accum count

That will turn the count per timeslot into a running total.

liorfink · ‎08-23-2015

Thank you!
That worked!

Sum of new events over time

Accelerating Observability as Code with the Splunk AI Assistant

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Join the Conversation

Sum of new events over time

Accelerating Observability as Code with the Splunk AI Assistant

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...