How to add previous data to a number from another ...

vickyocc53 · ‎03-15-2017

I have 3 main fields: _time, total_vehicle, and changes. total_vehicle is only generate periodically and I would like to find out what is happening in between with the "changes" field. Just plainly putting them in table I get:

  _time     min(vehicle_count)  change
    2017-03-15 00:32:00 18   
    2017-03-15 00:34:00     1
    2017-03-15 00:35:00     1
    2017-03-15 00:36:00     1
    2017-03-15 01:25:00     -1
    2017-03-15 01:26:00     -1
    2017-03-15 01:27:00     -1
    2017-03-15 01:28:00     -1
    2017-03-15 01:55:00 17   
    2017-03-15 04:51:00 17   
    2017-03-15 04:59:00     1
    2017-03-15 05:03:00

What I wish to obtain is to concatenate them into one single cumulative table:

  _time     min(vehicle_count)
    2017-03-15 00:32:00 18   
    2017-03-15 00:34:00 19
    2017-03-15 00:35:00 20
    2017-03-15 00:36:00 21
    2017-03-15 01:25:00 20
    2017-03-15 01:26:00 19
    2017-03-15 01:27:00 18
    2017-03-15 01:28:00 17
    2017-03-15 01:55:00 17
    and etc

Does anyone have any idea on how I might be able to achieve that?

niketn · ‎03-15-2017

You should be able to use accum command to achieve what you need.
If you are using timechart command to aggregate vehicle_count using min(), you can use as to provide it a simple alias to be reused further down the query for example.

| timechart min(vehicle_count) as vehicle_count 
| accum vehicle_count as vehicle_count

If you wish to retain existing fields you can provide a new name after as.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to add previous data to a number from another field, and put it as the current data?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability