 ## Keeps a running total of a specified numeric field.

Find below the skeleton of the usage of the command “accum” in SPLUNK :

accum [ AS ]

``` index=_internal
| accum timestartpos AS "New_Field"
| table "timestartpos","New_Field"```

Result :

timestartpos     New_Field
______________________
15                          15       Step 1 : timestartpos = 15 , New_Field = 15
0                            15       Step 2 : timestartpos = 0 ,   New_Field = ( New_Field + 0 ) = 15+0 = 15
0                            15       Step 3 : timestartpos = 0 ,   New_Field = ( New_Field + 0 ) = 15+0 = 15
20                          35       Step 4 : timestartpos = 20,  New_Field = ( New_Field + 20 ) = 15+20 = 35
10                          45       Step 5:  timestartpos = 10,  New_Field = ( New_Field + 10 ) = 35+10 = 45

Explanation
As stated in the topic itself  “it keeps a running total of a specified
numeric field”. In the above Query ,”New_Field” is the new
numeric field which gets created and contains the running total
of its value. As you can see, In the first row the value of “New_Field”
is 15 which is the value of “timestartpos”, now in the second row ,
the value of  “New_Field” is calculated as
“timestartpos(Second Rows)’s value + New_Field(First Rows)’s value” .                                       i.e., 0+15 = 15.   and so on …..

Now you can effectively utilize “accum”command in your daily use to meet your requirement !!

You can also know about :  Usage of REX attribute : max_match

Hope you are now comfortable in : Usage of Splunk commands :  ACCUM
HAPPY SPLUNKING !!

+1
+1
+1
+1
+1
+1
+1