Hi,
I'm looking for a function to cumulate values in a timechart, so I can see a real-time development of a software roll-out - distincted by a UID. The result should look as a ramp.
My search string looks like this:
sourcetype="foo" devicetype="Bob" | timechart dc(uid) as totale by sw | addtotals
This table as an example of the desired results:
Time # events w/ new sw cumulated
Day 1 128 128 128
Day 2 230 102 230
Day 3 220 78 308
So at Day 3 in the example, there are 308 devices with the new software AND it is clear to see, that it doesn't depend primary on how many events where registered.
I think I have to extract the UIDs from one day into a file, to compare them with the UIDs from the next day.
I just tried accum and streamstat, but nothing fits my expectations.
Is there any possibility to solve the problem? This problem is driving me crazy...
Regards 😉
Perhaps try:
sourcetype="foo" devicetype="Bob" | timechart dc(uid) as totale by sw | addtotals sw
addtotals
should then narrow the calculated results to just that field's data.
Thanks, but it just adds the field totals and now the results are zero - over all time.
Do you have a small sample set of data?