Documentation > Splunk > Search Reference > streamstats

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

streamstats

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

streamstats

Synopsis

Adds summary statistics to all search results in a streaming manner.

Syntax

streamstats [current=bool] [window=int] [global=bool] [allnum=bool] [stats-agg-term]* [by-clause]

Arguments

current
Datatype: <bool>
Description:
window
Datatype: <int>
Description: The 'window' option specify window size to be used in computing the statistics, and if 0 (by default), means that all previous (plus current) events are used
global
Datatype: <bool>
Description: If the 'global' option is set to false (it is true by default) and 'window' is set to a non-zero value, a seperate window is used for each group of values of the group by fields
allnum
Datatype: <bool>
Description: The 'allnum' option has the same affect as for the stats and eventstats commands.

Description

Similar to the 'eventstats' command except that only events seen before a given event (plus that event itself if current=t, which it is by default) are used to compute the aggregate statistics applied to each event. The 'window' option specify window size to be used in computing the statistics, and if 0 (by default), means that all previous (plus current) events are used. If the 'global' option is set to false (it is true by default) and 'window' is set to a non-zero value, a seperate window is used for each group of values of the group by fields. The 'allnum' option has the same affect as for the stats and eventstats commands.

Examples

Example 1: Compute the average value of foo for each value of bar including only the only 5 events with that value of bar.

... | streamstats avg(foo) by bar window=5 global=f

Example 2: For each event, compute the average of field foo over the last 5 events (including the current event). Similar to doing trendline sma5(foo)

... | streamstats avg(foo) window=5

Example 3: Same as example1, except that the current event is not included in the count

... | streamstats count current=f

Example 4: For each event, add a count field that represent the number of event seen so far (including that event). i.e., 1 for the first event, 2 for the second, 3, 4 ... and so on

... | streamstats count

See also

accum, autoregress, delta, eventstats, stats, streamstats, trendline

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.6/SearchReference/Streamstats"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!