- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to calculate N series of values?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to calculate N series of values?
My table look like this
Date/Time Name Value
26/6/2014 1:00 Foo 10
26/6/2014 2:00 foo 100 ..................Highest value of the day
26/6/2014 3:00 foo 0
..
...
..
26/6/2014 24:00 foo 0
27/6/2014 00:00 foo 0
.....
...............
..................
27/6/2014 8:00 foo 50
27/6/2014 9:00 foo 150 ................................. highest value of the day
......................
...................
27/6/2014 24:00 foo 0
28/6/2014 00:00 foo 0
........................
...........................
28/6/2014 12:00 foo 100
28/6/2014 13:00 foo 160 ..............................Highest value of the day
............................
.....................
I want the output and it would be looks
Date/Time Name Value
26/6/2014 1:00 Foo 10
26/6/2014 2:00 foo 100 ..................Highest value of the day
26/6/2014 3:00 foo 0+100
.26/6/2014 4:00 foo 0+100.
...
26/6/2014 22:00 foo 0+100
26/6/2014 23:00 foo 0+100.
26/6/2014 24:00 foo 0+100
27/6/2014 00:00 foo 0+100 ( This Value 100 is highest value of 26th date need to add on next date value)
27/6/2014 01:00 foo 0+100
.....
...............
..................
27/6/2014 06:00 foo 0+100
27/6/2014 07:00 foo 0+100
27/6/2014 08:00 foo 50+100
27/6/2014 09:00 foo 150 +100................................. highest value of the day
......................
...................
27/6/2014 24:00 foo 0+150+100
28/6/2014 00:00 foo 0+150+100 ( This Value 150+100= 250 is highest value on 27th date need to add on next date values)
28/6/2014 01:00 foo 0+150+100
........................
...........................
28/6/2014 10:00 foo 0+150+100
28/6/2014 11:00 foo 0+150+100
28/6/2014 12:00 foo 100+150+100
28/6/2014 13:00 foo 160 +150+100..............................Highest value of the day
28/6/2014 14:00 foo 0+160 +150+100.
28/6/2014 15:00 foo 0+160 +150+100.
28/6/2014 16:00 foo 0+160 +150+100.
..................................
....................................
..........................................
28/6/2014 24:00 foo 0+160 +150+100.( This Value 160+150+100= 410 is highest value on 28th date need to add on next date values)...
so...on
How to do search query for the above table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this is what you want. Use _internal data for scheduler sourcetype. This should work on any Splunk instance.
index=_internal sourcetype=scheduler earliest=-3d | bucket span=1h _time | stats count by _time sourcetype | eval Day=strftime(_time,"%Y-%m-%d") | eventstats max(count) as max by Day sourcetype | eval max=if(max=count,max,0) | eval DayMax=max | accum max | eval newcount=max+count | fields - Day max
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
