Search Commands > accum

One of the great things about Splunk is that there are often several different ways to accomplish the same goal. In our series highlighting the various Splunk search commands, you may find yourself thinking a few times that you could accomplish the end goal using a different method. That’s great!  Use what is most natural to you, what is the most readable in any given search and don’t sweat finding the “right” search command

In this post, we are going to discuss the accum command.  In my next blog post, we will cover delta which is similar to accum. The purpose of these commands is to keep a running total and to help you calculate the difference between a field’s value in two different events.

Accum:

The syntax for the accum command is very straightforward:

accum <field> [as <newField>]

In plain english, this means that you specify which field you want to keep a running total and optionally whether you would like to rename the field.

One thing to keep in mind when using accum is the order in which splunk returns events.  By default in Splunk, you will always see the most recent event first, so if you run accum you will count down from the top event in the list down to the last event in your results.  For this reason, many times you will want to use reverse to start your running total for the first event.

I recently had reason to use accum when working with a group of developers that wanted a dashboard that incorporated and consolidated information from their build system, ticketing system, and automated tests.  One panel they were working on was to track the overall number of open tickets and be able to easily see this in a table.

Here is a simplified version of their data:

Sun Mar 23 00:00:00 EDT 2014 new=5 resolved=2
Sun Mar 23 02:00:00 EDT 2014 new=8 resolved=5
Sun Mar 23 04:00:00 EDT 2014 new=2 resolved=6
Sun Mar 23 06:00:00 EDT 2014 new=4 resolved=2
Sun Mar 23 08:00:00 EDT 2014 new=12 resolved=4

Here is the search we came up with:

sourcetype=tickets | reverse | eval diff=new-resolved | accum diff as total | table _time new resolved total

To create the table they wanted, they first needed to calculate the difference between new and resolved tickets. This can be easily done with an eval.  The final step would be to use accum to calculate the running total of tickets and put this in a table.

Do you remember how I said at the beginning of this post that you can often accomplish the same goal in multiple ways with Splunk?  Well Splunk has a powerful command called streamstats that you will be hearing about in this series.

The accum example could also be accomplished in this way:

sourcetype=tickets | reverse | streamstats sum(eval(new – resolved)) as total | table _time new resolved total

Streamstats has a whole slew of other aggregators such as range, sum, avg, last value and even has the ability split the results using “group bys”.  It really is one of the most powerful Splunk search commands available, so look for that post coming soon!

----------------------------------------------------
Thanks!
Omid Krabbe