Compute Cumulative Aggregation Across Buckets
Compute a cumulative aggregation across buckets using the accumulate() function with timeChart()
Query
timeChart(span=1000ms, function=sum(value))
| accumulate(sum(_sum, as=_accumulated_sum))Introduction
The accumulate() function can be used to calculate
running totals, averages, or other cumulative metrics over time or
across a series of events. The accumulate()
function applies an aggregation function cumulatively to a sequence of
events. A common use case is to accumulate values across time intervals,
such as days. This can be achieved by applying the
accumulate() function after a
bucket() or timeChart()
function.
In this example, the accumulate() function is used
with timeChart() to accumulate values across time
intervals.
Note that the accumulate() function must be used
after an aggregator function to ensure event ordering.
Example incoming data might look like this:
| @timestamp | key | value |
|---|---|---|
| 1451606301001 | a | 5 |
| 1451606301500 | b | 6 |
| 1451606301701 | a | 1 |
| 1451606302001 | c | 2 |
| 1451606302201 | b | 6 |
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
timeChart(span=1000ms, function=sum(value))Groups data into 1-second buckets over a 4-second period, sums the field value for each bucket and returns the results in a field named _sum. The result is displayed in a timechart.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| accumulate(sum(_sum, as=_accumulated_sum))Calculates a running total of the sums in the _sum field, and returns the results in a field named _accumulated_sum.
Event Result set.
Summary and Results
The query is used to accumulate values across time intervals/buckets. The query is useful for tracking cumulative metrics or identifying trends in the data.
Sample output from the incoming example data:
| _bucket | _sum | _accumulated_sum |
|---|---|---|
| 1451606300000 | 0 | 0 |
| 1451606301000 | 12 | 12 |
| 1451606302000 | 8 | 20 |
| 1451606303000 | 0 | 20 |
The timechart looks like this:
 |