timechart of running sum

Question

How to plot running sums? Eg given events with fields "time host errors", I'd like to do

| timechart accum(errors) by host

but timechart doesn't have accum, and accum doesn't have "by".

The below gets close:

| reverse | streamstats sum(errors) AS RunningSum by host window=10000 global=f | timechart sum(RunningSum) by host

but RunningSum sometimes decreases (which I don't understand or want), and there are definitely less than 10000 events so I don't think window size is the reason.

Answer 1

3

This is somewhat tricky to do. Basically we first discretize time, like timechart does, so that we can calculate statistics per time bin. Then we count the errors in each time bin using stats. Next we use streamstats to achieve the accumulation. Last we use timechart to put it all together. A search like this should work:

... | bin _time | stats count as errors by _time host | streamstats sum(errors) as errors by series | timechart max(errors) by series

link

answered 04 Jun '10, 23:20

Stephen Sorkin ♦
8.9k●5●10
accept rate: 52%

The | bin _time | stats count didn't work for me. Instead I substituted it with another | timechart sum() and it worked fine.

(09 Dec '10, 23:54) Jason

timechart of running sum

Follow this question

Splunk Resources

Related questions