Splunk® Cloud Services

SPL2 Search Reference

streamstats command examples

The following are examples for using the SPL2 streamstats command. To learn more about the streamstats command, see How the SPL2 streamstats command works.

Many of these examples use the statistical functions. See Overview of SPL2 stats and chart functions.

1. Add a running count to each search result

In the following search, for each search result a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.

| from <dataset> | streamstats count()

For example, if your data looks like this:

host _time
x 2022-07-16T00:00:00.000Z
y 2022-07-15T00:00:00.000Z
x 2022-07-14T00:00:00.000Z
x 2022-07-13T00:00:00.000Z
y 2022-07-12T00:00:00.000Z


The output would look like this:

host _time count
x 2022-07-16T00:00:00.000Z 1
y 2022-07-15T00:00:00.000Z 2
x 2022-07-14T00:00:00.000Z 3
x 2022-07-13T00:00:00.000Z 4
y 2022-07-12T00:00:00.000Z 5

2. Using a <by-clause> to reset the search results count

The following search uses the host field to reset the count. For each search result a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.

| from <dataset> | streamstats count() BY host

For example, if your data looks like this:

host _time
x 2022-07-16T00:00:00.000Z
y 2022-07-15T00:00:00.000Z
x 2022-07-14T00:00:00.000Z
x 2022-07-13T00:00:00.000Z
y 2022-07-12T00:00:00.000Z


The output would look like this:

host _time count
x 2022-07-16T00:00:00.000Z 1
y 2022-07-15T00:00:00.000Z 1
x 2022-07-14T00:00:00.000Z 2
x 2022-07-13T00:00:00.000Z 3
y 2022-07-12T00:00:00.000Z 2

3. Specifying reset options

This example performs an aggregation on the bytes field and displays the total number of bytes by host. The total number of bytes are reset when either action="REBOOT" or when the host changes. The reset options must be specified before the aggregation.

...| streamstats reset after action="REBOOT" onchange sum(bytes) AS total_bytes BY host


For detailed examples using the reset options, see streamstats command usage.

4. Compute an aggregation of a field over a series of events

For each event, compute the average of the bytes field over the last 5 events, including the current event. The window option must be specified before the aggregation.

... | streamstats window=5 avg(bytes)

5. Using the streamstats command with other commands

You can use the streamstats command with other commands to create a set events with hourly timestamps. For example, you can use the repeat function, with the eval and streamstats commands to create a set of 5 events with incremental timestamps:

| FROM repeat({}, 5) | eval _time = now() | streamstats count() | eval _time=_time-(count*3600)

The results look something like this:

_time count
2022-02-25 15:35:14 1
2022-02-25 14:35:14 2
2022-02-25 13:35:14 3
2022-02-25 12:35:14 4
2022-02-25 11:35:14 5

For more examples like this, see the "Examples" section in the repeat dataset function topic.

See also

streamstats command
streamstats command overview
streamstats command syntax details
streamstats command usage
Last modified on 31 January, 2024
streamstats command usage   thru command overview

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters