Splunk® Cloud Services

SPL2 Search Reference

streamstats command usage

Resetting the aggregations

There are several ways to reset the aggregations. You can reset before something occurs, after something occurs, and when the values in the <by clause> field changes.

Reset after and reset before

The reset after clause resets the aggregation in the next search result after the condition occurs.

The reset before clause resets the aggregation in the search result in which the condition occurs.


Suppose that you have the following data:

host bytes action
x 100 LOGON
y 200 APP_START
x 400 FILE_DOWNLOAD
x 50 REBOOT
y 150 LOGON
x 100 LOGON

You want to calculate the total bytes for each host. However, when the system reboots you want the calculation for the total bytes to begin again. You can use the reset after argument to accomplish this.

| streamstats reset after action="REBOOT" sum(bytes) AS total_bytes BY host

Because the value in the action field is a string literal, the value needs to be enclosed in double quotation marks.

The streamstats command calculates a running total of the bytes for each host into a field called total_bytes. The running total resets each time an event satisfies the action="REBOOT"criteria. The results look like this:

host bytes action total_bytes
x 100 LOGON 100
y 200 APP_START 200
x 400 FILE_DOWNLOAD 500
x 50 REBOOT 550
y 150 LOGON 150
x 100 LOGON 100

The total_bytes field accumulates a sum of the bytes so far for each host. When the reset after clause action="REBOOT" occurs in the 4th event, that event shows the sum for the x host, including the bytes for the REBOOT action. The sum of the bytes is reset for both the y and x hosts in the next events.

If the reset before clause is used instead, the results would be this:

host bytes action total_bytes
x 100 LOGON 100
y 200 APP_START 200
x 400 FILE_DOWNLOAD 500
x 50 REBOOT 50
y 150 LOGON 150
x 100 LOGON 150

Reset onchange

To reset the aggregation whenever any of the fields specified in the <group-by> clause change, use the reset onchange condition.

Continuing with the previous example, you would use this syntax:

...| streamstats reset onchange sum(bytes) AS total_bytes BY host

The output from this search is this:

host bytes action total_bytes
x 100 LOGON 100
y 200 APP_START 200
x 400 FILE_DOWNLOAD 400
x 50 REBOOT 450
y 150 LOGON 150
x 100 LOGON 100

Because the value of the host changes between the 2nd and 3rd rows, the total_bytes is reset in the 3rd row. The reset occurs again between the 4th and 5th rows.

Combining reset clauses

You can combine the reset clauses. For example you can use this search:

...| streamstats reset after action="REBOOT" onchange sum(bytes) AS total_bytes BY host

If combined, a reset occurs whenever any of the clauses triggers a reset.

Differences between SPL and SPL2

Command syntax has changed

The streamstats command syntax in SPL2 is substantially different from the streamstats command in SPL. All of the reset conditions have new syntax that makes it easier to write expressions. Instead of individual reset arguments, there is one reset argument where you can specify multiple reset conditions. Additionally, you no longer have to escape quotation marks or parentheses in the reset expressions.

SPL

The following table shows the SPL syntax and an example for the streamstats command.

Syntax Example
streamstats streamstats
reset_on_change=<bool> reset_on_change=true
reset_before="("<eval-expression>")" reset_before=(reboot="COMPLETE")
reset_after="("<eval-expression>")" reset_after=(CPUUtilization > 50)
current=<bool> current=false
window=<int> window=5
time_window=<span-length>
global=<bool>
allnum=<bool>
<stats-agg-term>... avg(CPUUtilization) AS avg_cpu
<by-clause> BY host

SPL2

The following table shows the SPL2 syntax and an example for the streamstats command.

Syntax Example
streamstats streamstats
<stats aggregation> avg(CPUUtilization) AS avg_cpu
current=<bool> current=false
window=<int> window=5
<by-clause> BY host
reset
before <eval-expression>
after <eval-expression>
onchange
reset before reboot="COMPLETE" after CPUUtilization > 50 onchange

Some command options are not supported in SPL2

The following arguments from SPL do not have an equivalent argument in SPL2.

  • allnum
  • global
  • time_window

See also

streamstats command
streamstats command overview
streamstats command syntax details
streamstats command examples
Last modified on 11 March, 2022
streamstats command syntax details   streamstats command examples

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters