I'm calculating the sum of spending over a month period.

```
* | timechart sum(value) span=1mon
```

This will produce the cumalative amount, but it won't show you how you arrived at the amount in day incements. Changing the span to 1 day, doesn't produce the desired result nor does bucketing ahead of the timechart.

```
* | timechart sum(value) span=1mon
```

How do you achieve this without some major delta hack?

Comment

Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.

Accepted Answer

The answer is not pretty but it works, thanks Ayn.

`enter code here`

| reverse | accum value as totalvalue | timechart last(totalvalue) span=1d

Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.

`search ... | bucket _time span=1d | stats sum(value) as value | accum value as totalvalue | timechart last(totalvalue) span=1d`

- use the same bucketing of _time as the span in timechart and splunk has even less work to do in the timechart.

you want to use the `streamstats`

command.

1) simple example, running the timechart first and using streamstats to create the cumulative total on the timechart output rows.

`* | timechart count| streamstats sum(count) as cumulative`

2) similar, but with a field value instead of the count:

`index=_internal source=*metrics.log group=per_sourcetype_thruput | timechart sum(kb) as totalKB | streamstats sum(totalKB) as totalCumulativeKB`

3) If you want to go the other way, and use `streamstats`

on the raw events, you can do that, but then you have to use the `reverse`

command.

`index=_internal source=*metrics.log group=per_sourcetype_thruput | reverse | streamstats sum(kb) as cumulativeKB | timechart max(cumulativeKB)`

4) And streamstats also allows a 'by' term, so for example it can keep track of all of these cumulative numbers separately by some field value like 'series':

With the streamstats before the reporting command:

`index=_internal source=*metrics.log group=per_sourcetype_thruput | reverse | streamstats sum(kb) as cumulativeKB by series | timechart max(cumulativeKB) by series`

and last but not leasat, if you want to use the other way and use streamstats after the reporting command, you have to get a little more hands-on with stats and bin.

`index=_internal source=*metrics.log group=per_sourcetype_thruput | bin _time span=1h | streamstats sum(kb) as totalKB by _time series | timechart sum(totalKB) by series`

Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.

`index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | bucket _time span=1h | stats sum(MB) as MB by st | streamstats sum(MB) as MB by st | timechart span=1h last(MB) as MB by st`

is a nice cumulative graph of indexing today by sourcetype. And over a day it creates 25 rows, which is a lot easier to reverse than 800,000 original log lines...

You could use `accum`

to create the cumulative sum and then do a `timechart last()`

on this sum to get the last value at the breakpoint of each interval and finally arriving at the total sum:

```
... | accum value as totalvalue | timechart last(value) span=1d
```

Up to 2 attachments (including images) can be used with a maximum of 524288 each and 1048576 total.

delta then sum then graph from multiple hosts 1 Answer

Sum latest entries from multiple sources & timechart as a single line 1 Answer

Displaying calculated value in timechart 1 Answer

Squid Log Analysis - Calculate total number of 'timespans' that have events 2 Answers

stats by date_hour add zero count for hours with no events 2 Answers

- Anonymous
- Sign in
- Create
- Ask a question
- Upload an App
- Explore
- Tags
- Answers
- Apps
- Users
- Badges

830 ● 34 ● 41 ● 37