Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I search a five day running total for values that exceed an amount?

williamsonsteve
Engager
‎06-03-2011 07:20 AM

I have 12 months of financial data where I am trying to extract the payees whose transaction totals for a sliding 5 day window exceeds 10,000.00.

The data is structured
datetime payee amount
01/03/2011 10:28:58 GARY SMITH 875.01

etc...

I've tried
| bucket _time span=1d
| streamstats sum(amount) as TotalAmount, count(remitter) as PayeeChecks window=5 by _time,payee
| chart sum(TotalAmount) sum(PayeeChecks) by payee

No joy...
Looking for guidance on how to approach this.

Reply

woodcock
Esteemed Legend
‎05-28-2015 03:55 PM

Try this:

... | bucket _time span=1d |stats sum(amount) AS DailyAmount, count(remitter) AS PayeeChecks BY _time,payee | streamtstats window=5 sum(DailyAmount) AS AmountLast5Days, sum(PayeeChecks) AS PayeeChecksLast5Days BY payee
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...