I am a complete splunk newbie and I'm trying to find information on how powerful the searches and reports can be.
Let's say I have a log of sourcetype transactions (with extracted fields account_number and amount). Can I write a search that calculate the current balance on all accounts by first finding all unique accounts and then adding all associated amounts?
Yup.
sourcetype=my_transactions account_number=* | stats sum(amount) as amount by account_number
Yup.
sourcetype=my_transactions account_number=* | stats sum(amount) as amount by account_number