Solved: Moving 3 day count - any built in search commands ...

himynamesdave · ‎05-17-2017

Hi all,

I have some data like so

Day | Count
1 | 200
2 | 200
3 | 300
4 | 100
5 | 200
... | ...

I can graph a timechart in normal way: SEARCH | timechart span=1d count

However, I now want a bar graph with a rolling count for 3 days

e.g

1 + 2 + 3 | 700
2 + 3 + 4 | 600
3 + 4 + 5 | 600

Is there any built in Splunk commands that can do this? How can I go about building a search for this use-case?

Thanks!

rjthibod · ‎05-17-2017

This is exactly what streamstats is for. Replace your timechart segment with the following.

... | bin _time span=1d | stats count as count by _time | streamstats window=3 current=t count as RunningCount | fields _time count RunningCount

You can then compare the running total to the individual total and adjust names as needed.

rjthibod · ‎05-17-2017

This is exactly what streamstats is for. Replace your timechart segment with the following.

... | bin _time span=1d | stats count as count by _time | streamstats window=3 current=t count as RunningCount | fields _time count RunningCount

You can then compare the running total to the individual total and adjust names as needed.

Moving 3 day count - any built in search commands for this?