streamstats command usage
Resetting the aggregations
There are several ways to reset the aggregations. You can reset before something occurs, after something occurs, and when the values in the <by clause> field changes.
Reset after and reset before
reset after clause resets the aggregation in the next search result after the condition occurs.
reset before clause resets the aggregation in the search result in which the condition occurs.
Suppose that you have the following data:
You want to calculate the total bytes for each host. However, when the system reboots you want the calculation for the total bytes to begin again. You can use the
reset after argument to accomplish this.
| streamstats reset after action="REBOOT" sum(bytes) AS total_bytes BY host
Because the value in the
action field is a string literal, the value needs to be enclosed in double quotation marks.
streamstats command calculates a running total of the bytes for each
host into a field called
total_bytes. The running total resets each time an event satisfies the
action="REBOOT"criteria. The results look like this:
total_bytes field accumulates a sum of the bytes so far for each host. When the reset after clause
action="REBOOT" occurs in the 4th event, that event shows the sum for the x host, including the bytes for the REBOOT action. The sum of the bytes is reset for both the y and x hosts in the next events.
reset before clause is used instead, the results would be this:
To reset the aggregation whenever any of the fields specified in the <group-by> clause change, use the
reset onchange condition.
Continuing with the previous example, you would use this syntax:
...| streamstats reset onchange sum(bytes) AS total_bytes BY host
The output from this search is this:
Because the value of the
host changes between the 2nd and 3rd rows, the
total_bytes is reset in the 3rd row. The reset occurs again between the 4th and 5th rows.
Combining reset clauses
You can combine the reset clauses. For example you can use this search:
...| streamstats reset after action="REBOOT" onchange sum(bytes) AS total_bytes BY host
If combined, a reset occurs whenever any of the clauses triggers a reset.
Differences between SPL and SPL2
Command syntax has changed
streamstats command syntax in SPL2 is substantially different from the
streamstats command in SPL. All of the reset conditions have new syntax that makes it easier to write expressions. Instead of individual reset arguments, there is one
reset argument where you can specify multiple reset conditions. Additionally, you no longer have to escape quotation marks or parentheses in the reset expressions.
The following table shows the SPL syntax and an example for the
|reset_after="("<eval-expression>")"||reset_after=(CPUUtilization > 50)|
|<stats-agg-term>...||avg(CPUUtilization) AS avg_cpu|
The following table shows the SPL2 syntax and an example for the
|<stats aggregation>||avg(CPUUtilization) AS avg_cpu|
||reset before reboot="COMPLETE" after CPUUtilization > 50 onchange|
Some command options are not supported in SPL2
The following arguments from SPL do not have an equivalent argument in SPL2.
streamstats command syntax details
streamstats command examples
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!