For each event where field is a number, the accum command in splunk calculates a running total or sum of the numbers. The accumulated sum can be returned to either the same field, or a new field that you specify.
Syntax for accum command in splunk:
accum <field> [AS <newfield>]Query before using accum command:
index=* sourcetype="WinEventLog:*"
| stats count by LogName EventType
| fields - countResult before using accum command:
Query after using accum command:
index=* sourcetype="WinEventLog:*"
| stats count by LogName EventType
| accum EventType as TotalResult after using accum command:
Explanation:
The Accum command is used to calculate the running total as data comes in, that is it takes the value in a new field and sums it with the recently camed value of the original field on which the calculation needs to be done and calculates the total.
In the above results we are calculating the EventType values by LogName further we are calculating the running total that is each row value is added with the values in the next rows and at the end the total is calculated in a new field.
Also look for Append Command in Splunk
If you are still facing issue regarding this topic Feel free to Ask Doubts in the Comment Box Below and Donโt Forget to Follow us on social platforms, happy Splunking >
