Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

streamstats command examples

The following are examples for using the SPL2 streamstats command. To learn more about the streamstats command, see How the streamstats command works.

Many of these examples use the statistical functions. See Overview of SPL2 stats and chart functions.

1. Add a running count to each search result

In the following search, for each search result a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.

| from <dataset> | streamstats count()

For example, if your data looks like this:

host _time
x 2019-07-16T00:00:00.000Z
y 2019-07-15T00:00:00.000Z
x 2019-07-14T00:00:00.000Z
x 2019-07-13T00:00:00.000Z
y 2019-07-12T00:00:00.000Z


The output would look like this:

host _time count
x 2019-07-16T00:00:00.000Z 1
y 2019-07-15T00:00:00.000Z 2
x 2019-07-14T00:00:00.000Z 3
x 2019-07-13T00:00:00.000Z 4
y 2019-07-12T00:00:00.000Z 5

2. Using a <by-clause> to reset the search results count

The following search uses the host field to reset the count. For each search result a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.

| from <dataset> | streamstats count() BY host

For example, if your data looks like this:

host _time
x 2019-07-16T00:00:00.000Z
y 2019-07-15T00:00:00.000Z
x 2019-07-14T00:00:00.000Z
x 2019-07-13T00:00:00.000Z
y 2019-07-12T00:00:00.000Z


The output would look like this:

host _time count
x 2019-07-16T00:00:00.000Z 1
y 2019-07-15T00:00:00.000Z 1
x 2019-07-14T00:00:00.000Z 2
x 2019-07-13T00:00:00.000Z 3
y 2019-07-12T00:00:00.000Z 2

3. Specifying reset options

This example performs an aggregation on the bytes field and displays the total number of bytes by host. The total number of bytes are reset when either action="REBOOT" or when the host changes.

...| streamstats sum(bytes) AS total_bytes BY host reset after action="REBOOT" onchange

See also

streamstats command
streamstats command overview
streamstats command syntax details
streamstats command usage
Last modified on 04 October, 2021
PREVIOUS
streamstats command usage
  NEXT
thru command overview

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters