Hi,
I'm looking for a function to cumulate previous values in a timechart. Means that I can see a real-time development of a software roll-out - distincted by a UID. The result should look as a ramp.
My search string looks like this:
sourcetype="foo" devicetype="Bob" | timechart dc(uid) as totale by boxsw | addtotals
This table as an example of the desired results:
Time # events w/ new sw cumulated
Day 1 128 128 128
Day 2 230 102 230
Day 3 220 78 308
So at Day 3 in the example, there are 308 devices with the new software AND it is clear to see, that it doesn't depend primary on how many events where registered.
I just tried streamstats like mentioned in the first comment (that was made according to a badly formulated question...), but it doesn't give me the result I need. (As a first step I would be happy, if there where any cumulated results)
So, I'm looking forward to seeing an instructive answer to my question 🙂
Regards 😉
... View more