using streamstats and stats together

i'd like to produce a field per event that's the running sum of some field as a percentage of the total sum of that field over the whole search.

for example, if this were excel, my sheet would look something like this:

+-----------------------+---------------+-------------+
| original field values | running total | what i want |
+-----------------------+---------------+-------------+
|                     1 |             1 |         20% |
|                     1 |             2 |         40% |
|                     1 |             3 |         60% |
|                     1 |             4 |         80% |
|                     1 |             5 |        100% |
+-----------------------+---------------+-------------+

i see that streamstats or accum can generate my "running total" column, but to get my "what i want" column, i need the output of stats c() or stats sum(), which destroys the individual events.

i feel like it might be a job for a sub-search and appendcols, but i haven't been able to work it out.

thanks in advance, orion

asked 03 Feb '12, 17:10

elenzil
160●1●5
accept rate: 0%

Be the first one to answer this question!

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

stats ×266
streamstats ×27
appendcols ×19
total ×6
accum ×3

Asked: 03 Feb '12, 17:10

Seen: 730 times

Last updated: 03 Feb '12, 17:10

using streamstats and stats together

Follow this question

Splunk Resources

Related questions