I have a chicken and egg issue here which I am having trouble resolving.
I have a search which returns data for each month.
[base_search] | eval monthlyCost = ((annualCost - totalPaid)/days_left_in_year) * daysInMonth | accum monthlyCost as totalPaid
Now this will not work as totalPaid doesnt exist for the first event, but subsequent ones it should have a value.
This can easily be done in Excel but I am having real trouble replicating in Splunk.
Currently the above search returns nothing for monthlyCost or totalPaid in all events.
I tried adding this before the eval but it didn't work and it always set totalPaid = 0. | eval totalPaid = case(isnum(totalPaid),totalPaid,!isnum(totalPaid),0)
Any ideas?
