Answers for "How do you chart a cumulative sum?"
https://answers.splunk.com/answers/50628/how-do-you-chart-a-cumulative-sum.html
The latest answers for the question "How do you chart a cumulative sum?"Answer by sideview
https://answers.splunk.com/answering/50662/view.html
you want to use the `streamstats` command.
1) simple example, running the timechart first and using streamstats to create the cumulative total on the timechart output rows.
`* | timechart count| streamstats sum(count) as cumulative`
2) similar, but with a field value instead of the count:
`index=_internal source=*metrics.log group=per_sourcetype_thruput | timechart sum(kb) as totalKB | streamstats sum(totalKB) as totalCumulativeKB`
3) If you want to go the other way, and use `streamstats` on the raw events, you can do that, but then you have to use the `reverse` command.
`index=_internal source=*metrics.log group=per_sourcetype_thruput | reverse | streamstats sum(kb) as cumulativeKB | timechart max(cumulativeKB)`
4) And streamstats also allows a 'by' term, so for example it can keep track of all of these cumulative numbers separately by some field value like 'series':
With the streamstats before the reporting command:
`index=_internal source=*metrics.log group=per_sourcetype_thruput | reverse | streamstats sum(kb) as cumulativeKB by series | timechart max(cumulativeKB) by series`
and last but not leasat, if you want to use the other way and use streamstats after the reporting command, you have to get a little more hands-on with stats and bin.
`index=_internal source=*metrics.log group=per_sourcetype_thruput | bin _time span=1h | streamstats sum(kb) as totalKB by _time series | timechart sum(totalKB) by series`Fri, 15 Jun 2012 19:52:45 GMTsideviewAnswer by Marinus
https://answers.splunk.com/answering/50647/view.html
The answer is not pretty but it works, thanks Ayn.
`enter code here`| reverse | accum value as totalvalue | timechart last(totalvalue) span=1dFri, 15 Jun 2012 18:05:22 GMTMarinusAnswer by Ayn
https://answers.splunk.com/answering/50632/view.html
You could use `accum` to create the cumulative sum and then do a `timechart last()` on this sum to get the last value at the breakpoint of each interval and finally arriving at the total sum:
... | accum value as totalvalue | timechart last(value) span=1dFri, 15 Jun 2012 14:57:35 GMTAyn