Skip to main content
Sumo Logic

accum

The accum operator calculates the cumulative sum of a field. The accum operator can be used to find a count by a specific time interval, and can be used to find a total running count across all intervals.

Syntax:

  • accum field [ as alias ] [ by field1, field2, ... ]

Rules:

  • An alias for accum is optional. When an alias is not provided, _accum is the default alias.
  • Specified fields must contain numeric values.
  • If a row contains non-numeric values, that row will be skipped.
  • To add a query that includes an accum operator to a Dashboard, you must add a group by function before the accum operator.

Examples:

Requests by running total. With the accum operator, we can find the number of requests by a user as a running total. Running a query similar to:accum operator, we can find the number of requests by a user as a running total. Running a query similar to:

_sourceCategory=IIS (Wyatt OR Luke)
| parse using public/iis
| timeslice by 1m
| count as requests by _timeslice,cs_username
| sort by _timeslice asc,cs_username
| accum requests as running_total

produces results of a running total of all requests, similar to:

Running total by user name. Anther option is to find a running total for each user's requests. Running a query similar to:

_sourceCategory=IIS (Wyatt OR Luke)
| parse using public/iis
| timeslice by 1m
| count as requests by _timeslice,cs_username
| sort by _timeslice asc,cs_username
accum requests as running_total by cs_username

produces results of a running total for each user's requests, similar to: