- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart - Running Total By Product
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to create a timechart that shows the running total revenues for each product.
First I've created a search for the overall running totals:
my search | bucket _time span=1d | stats sum(price) AS Revenues by _time | accum Revenues AS Total_Revenues | timechart last(Total_Revenues) span=1d
This seems to work fine. But now i don't know how to tell Splunk to do this for every product. The accum command does not allow a 'by product' argument.
Can someone help me with this search?
BR
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
yours earch | bucket _time span=1d | stats sum(price) AS Revenues by product,_time | streamstats sum(Revenues) as Total_Revenues by product| timechart span=1d last(Total_Revenues) by product
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this: This doesn't completely overcome the issue (as it will still show emtpy cell if, in your example, Day 1 or Day4 has no product. but anything in between it will fill in.
your search| bucket _time span=1d | stats sum(duration) AS Revenues by product,_time | makecontinuous _time span=1d | eval joinfield=1 | join max=0 joinfield [search you search | stats count by product | fields - count | eval joinfield=1] | fillnull | streamstats sum(Revenues) as Total_Revenues by product | timechart span=1d last(Total_Revenues) by product
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This shows the overall revenues in every product column. I will use the first version. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
yours earch | bucket _time span=1d | stats sum(price) AS Revenues by product,_time | streamstats sum(Revenues) as Total_Revenues by product| timechart span=1d last(Total_Revenues) by product
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey,
thanks this works so far. At the moment there are some empty cells in the timechart, when there haven't been any revenues for a product on a specific day. So the accumulated values look like this at the moment:
Day 1 10$
Day 2 20$
Day 3
Day 4 30$
Better would be:
Day 1 10$
Day 2 20$
Day 3 20$
Day 4 30$
Do you have an idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| fillnull comand will add nulls for missing values.
Enterprise Security Content Update (ESCU) | New Releases
Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...
Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...
