Usage of Splunk commands : ACCUM

Usage of Splunk commands :  ACCUM is as follows :

Keeps a running total of a specified numeric field.

                Find below the skeleton of the usage of the command "accum" in SPLUNK : 

                                     accum <field> [ AS <newfield> ] 

  index=_internal 

  | accum  timestartpos  AS "New_Field" 

  | table "timestartpos","New_Field"  <enter>

Result : 

timestartpos     New_Field                        

______________________

15                          15       Step 1 : timestartpos = 15 , New_Field = 15

0                            15       Step 2 : timestartpos = 0 ,   New_Field = ( New_Field + 0 ) = 15+0 = 15

0                            15       Step 3 : timestartpos = 0 ,   New_Field = ( New_Field + 0 ) = 15+0 = 15

20                          35       Step 4 : timestartpos = 20,  New_Field = ( New_Field + 20 ) = 15+20 = 35

10                          45       Step 5:  timestartpos = 10,  New_Field = ( New_Field + 10 ) = 35+10 = 45

Explanation : 

                    As stated in the topic itself  "it keeps a running total of a specified numeric field".

                     In the above Query ,"New_Field" is the new numeric field which gets created

                     and contains the running total of its value. As you can see, In the first row
                    the value of "New_Field" is 15 which is the value of "timestartpos",
                    now in the second row , the value of  "New_Field" is calculated as

 "timestartpos(Second Rows)'s value + New_Field(First Rows)'s value" . i.e., 0+15 = 15.

   and so on .....

Now you can effectively utilize "accum"command in your daily use to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk commands :  ACCUM


HAPPY SPLUNKING !!