Solved: How to calculate the "Moving" sum of the last 52 w...

CarmineCalo · ‎01-31-2018

Splunkers!
I have a new problem I'm not able to solve, I hope you can help me...

Basically, I'm counting the number of incidents occurring on weekly basis related to the last 2 years (events beginning in Jan 2016):

...
| eval dateweek_year=strftime(_time,"%Y-%U")    
| chart count as Num_Incidents over dateweek_year

Now, I'd like to present the outcome as "moving sum" of the last 52 weeks, starting from Jan 2017.
So 01-2017 period has to show the sum of incidents from 02-2016 to 01-2017,
02-2017 from 03-2016 to 02-2017
etc...

Any help?

I've no clue about how to do it...

Eventstats/Streamstats should help?

Tks!
Carmine

mayurr98 · ‎01-31-2018

hey I think you want something like this

<your_base_search> 
| eval dateweek_year=strftime(_time,"%Y-%U") 
| chart count as Num_Incidents over dateweek_year 
| streamstats sum(Num_Incidents) as "Moving_SUM" window=52

So, you will get cumulative sum of last 52 weeks at any point of time.
let me know if this helps!

View solution in original post

mayurr98 · ‎01-31-2018

hey I think you want something like this

<your_base_search> 
| eval dateweek_year=strftime(_time,"%Y-%U") 
| chart count as Num_Incidents over dateweek_year 
| streamstats sum(Num_Incidents) as "Moving_SUM" window=52

So, you will get cumulative sum of last 52 weeks at any point of time.
let me know if this helps!

CarmineCalo · ‎01-31-2018

This option works, great 🙂

Tks!
Carmine

niketn · ‎01-31-2018

@CarmineCalo, Please try the following and confirm

 <YourBaseSearch>
| eval dateweek_year=strftime(_time,"%Y-%U")    
| chart count as Num_Incidents over dateweek_year
| accum Num_Incidents

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to calculate the "Moving" sum of the last 52 weeks?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!