Solved: How to calculate (total or YTD/year-to-date) accum...

kalitbri · ‎06-11-2010

How to calculate (total or YTD/year-to-date) accumulated count based on region (or other group) in a search request? Like the last 2 field in following example data:

http://paste.plurk.com/show/268913/

gkanapathy · ‎06-11-2010

the streamstats command:

... | bucket _time span=1mon | stats count by _time,region | streamstats global=f current=t sum(count) as cum_count by _time,region

I don't know how to do YTD.

View solution in original post

gkanapathy · ‎06-11-2010

the streamstats command:

... | bucket _time span=1mon | stats count by _time,region | streamstats global=f current=t sum(count) as cum_count by _time,region

I don't know how to do YTD.

kalitbri · ‎06-14-2010

I tested but only works after i removed _time from by-clause in streamstats. Thanks anyway! I can achieve YTD similarly, by:

kalitbri · ‎06-11-2010

Thanks! how about similar way , but by _time@Y for YTD?

How to calculate (total or YTD/year-to-date) accumulated count based on region (or other group)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases