accum

Table of Contents

Definition
- Syntax
- Optional arguments
Examples
- New column
Further Reading

This command is experimental

Definition

accum returns an accumulated sum for the selected table column that has numerical values.

Syntax

| accum <column-name> (AS <new-column>)

Optional arguments

New column

Examples

Use accum to calculate the accumulated sum for the selected column. The following example returns an accumulated sum for _raw column.

%dpl
index=example earliest=-5y
| accum _raw

When accum is used, results aren’t sorted by time. See the issue on GitHub.

New column

If the new column name isn’t defined, accum returns the accumulated sum in the same column it calculates it for. Use AS <column-name> to define the new column.

The following example calculates the accumulated sum for countOperation column and returns it in totalOperationCount column. Before accum is used, we use stats to sum values in countOperation by the operation column. Additionally, spath is used to extract the JSON content from the dataset and where filters out count values that are below 0.

%dpl
index=crud earliest=-5y
| spath
| rename count AS countOperation
| where countOperation > 0
| stats sum(countOperation) AS countOperation BY operation
| accum countOperation AS totalOperationCount