Usage of Splunk commands : ACCUM

Usage of Splunk commands :  ACCUM is as follows :

Keeps a running total of a specified numeric field.

               Find below the skeleton of the usage of the command “accum” in SPLUNK : 
 
                                                   accum [ AS ] 
 
 
 index=_internal
| accum timestartpos AS "New_Field"
| table "timestartpos","New_Field"
 
 
Result : 
 
timestartpos     New_Field                        
______________________
15                          15       Step 1 : timestartpos = 15 , New_Field = 15
0                            15       Step 2 : timestartpos = 0 ,   New_Field = ( New_Field + 0 ) = 15+0 = 15
0                            15       Step 3 : timestartpos = 0 ,   New_Field = ( New_Field + 0 ) = 15+0 = 15
20                          35       Step 4 : timestartpos = 20,  New_Field = ( New_Field + 20 ) = 15+20 = 35
10                          45       Step 5:  timestartpos = 10,  New_Field = ( New_Field + 10 ) = 35+10 = 45
 

Explanation
                    As stated in the topic itself  “it keeps a running total of a specified
                    numeric field”. In the above Query ,”New_Field” is the new
                    numeric field which gets created and contains the running total
                    of its value. As you can see, In the first row the value of “New_Field”
                    is 15 which is the value of “timestartpos”, now in the second row ,
                    the value of  “New_Field” is calculated as
                    “timestartpos(Second Rows)’s value + New_Field(First Rows)’s value” .                                       i.e., 0+15 = 15.   and so on …..

 

 

Now you can effectively utilize “accum”command in your daily use to meet your requirement !!


Hope you are now comfortable in : Usage of Splunk commands :  ACCUM
HAPPY SPLUNKING !!
 
Advertisements

3 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.