Solved: Multiple sums in one graph

liorfink · ‎08-24-2015

This is a followup question to This.
http://answers.splunk.com/answers/301144/sum-of-new-events-over-time.html

Now further, say I have all these new events, the answer gave me the total for all new events together, which was perfect for that given case.
Now for further analysis, I'd like it to be a line of the total New events, for each Engine.
So with the answer I got this:

And I would like a different graph of total New events for each Engine, like:

So to split the results by Engine I got this:

host="MyHost" Status="New" | timechart count by Engine

That gives me a division by Engine, but once again, it shows me single values per day, and not the accumulated total.
I've tried:
host="MyHost" Status="New" | timechart count by Engine | accum count - just adds another value named 'count' with 0

I'm obviously missing something basic in my understanding.
Thanks again in advance!

Sorry for my bad editing *

somesoni2 · ‎08-24-2015

Try something like this

host="MyHost" Status="New" | timechart count by Engine | streamstats sum(*) as *

View solution in original post

somesoni2 · ‎08-24-2015

Try something like this

host="MyHost" Status="New" | timechart count by Engine | streamstats sum(*) as *

liorfink · ‎08-24-2015

Perfect!
Thank you!

Multiple sums in one graph

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases