Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

cumulative sum

avishni01
Explorer
‎02-07-2022 08:39 AM

Hello

I have events that include a field of username ( and of course _time) .I would like to count how many users were added each month, but there are times with no new users were created. 

I can find the first appearance of each user using

Stats min(_time) by username

And then I can use timechart to count new users by month and streamstats to get the cumulative sum.

I have found how to fill the gaps if there were no new users during a month m by using the makecontinues command. what i didn't figure yet is how to fill the period before the first user creation and since the last time a user was created , until today .

... 
| timechart span=1mon count(username) as users
| makecontinues  spam=1mon _time
| fillnull
| streamstats sum(users)  as com

thanks for the help

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2022 09:56 AM

Timechart already fills the gaps including before and after based on the time range from the timepicker / earliest and latest, so you should just be able to use streamstats after timechart.

... 
| timechart span=1mon count(username) as users
| streamstats sum(users)  as com
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...