Usage of Splunk commands : ACCUM is as follows :
Keeps a running total of a specified numeric field.
Find below the skeleton of the usage of the command “accum” in SPLUNK :
accum [ AS ]
index=_internal
| accum timestartpos AS "New_Field"
| table "timestartpos","New_Field"
Result :
timestartpos New_Field
______________________
15 15 Step 1 : timestartpos = 15 , New_Field = 15
0 15 Step 2 : timestartpos = 0 , New_Field = ( New_Field + 0 ) = 15+0 = 15
0 15 Step 3 : timestartpos = 0 , New_Field = ( New_Field + 0 ) = 15+0 = 15
20 35 Step 4 : timestartpos = 20, New_Field = ( New_Field + 20 ) = 15+20 = 35
10 45 Step 5: timestartpos = 10, New_Field = ( New_Field + 10 ) = 35+10 = 45
Explanation :
As stated in the topic itself “it keeps a running total of a specified
numeric field”. In the above Query ,”New_Field” is the new
numeric field which gets created and contains the running total
of its value. As you can see, In the first row the value of “New_Field”
is 15 which is the value of “timestartpos”, now in the second row ,
the value of “New_Field” is calculated as
“timestartpos(Second Rows)’s value + New_Field(First Rows)’s value” . i.e., 0+15 = 15. and so on …..
Now you can effectively utilize “accum”command in your daily use to meet your requirement !!
Hope you are now comfortable in : Usage of Splunk commands : ACCUM
HAPPY SPLUNKING !!
What’s your Reaction?
+1
1
+1
+1
1
+1
+1
+1
+1
Gr8 Work Abhay
Hi,
Please subscribe to get more updates on Splunk !!
Good !!!