Splunk® Cloud Services

SPL2 Search Reference

streamstats command overview

The SPL2 streamstats command adds a cumulative statistical value to each search result as each result is processed. For example, you can calculate the running total for a particular field, or compare a value in a search result with a the cumulative value, such as a running average. The streamstats command includes options for resetting the aggregates.

Syntax

The required syntax is in bold.

streamstats
[<by-clause>]
[current=<bool>]
[<reset-clause>]
[window=<int>]
<aggregation> ...

How the SPL2 streamstats command works

Suppose that you have the following data:

host action bytes
x LOGON 100
y APP_START 200
x FILE_DOWNLOAD 400
x REBOOT 50
y LOGON 150
x LOGON 100

You can use the SPL2 streamstats command to calculate and add various statistics to the search results.

Compute a moving average over a series of events

For each event, you can compute the average of the bytes field over the last 3 events, including the current event. Here's the search to use:

... | streamstats window=3 avg(bytes)


The output looks like this:

host action bytes avg(bytes)
x LOGON 100 100
y APP_START 200 150
x FILE_DOWNLOAD 400 233.33
x REBOOT 50 216.66
y LOGON 150 200
x LOGON 100 100
  • For the first event, there are no previous events. The value for the bytes field is returned.
  • For the second event, the average is returned from the sum of first and second events.
  • For the remaining events, the average is returned from the sum of the current event and the two previous events.

Calculate a value until a trigger resets the calculation

Suppose you want to calculate a running total of the bytes for each host. However, when the system reboots you want the calculation for the total bytes to begin again. You can use the reset after argument to accomplish this. Here's the search to use:

...| streamstats sum(bytes) AS total_bytes BY host reset after action="REBOOT"

Because the value in the action field is a string literal, the value needs to be enclosed in double quotation marks.

The running total appears in the total_bytes field. The running total resets each time an event satisfies the action="REBOOT"criteria.

The results look like this:

host action bytes total_bytes
x LOGON 100 100
y APP_START 200 200
x FILE_DOWNLOAD 400 500
x REBOOT 50 550
y LOGON 150 150
x LOGON 100 100

The total_bytes field accumulates a sum of the bytes so far for each host. When the reset after clause action="REBOOT" occurs in the 4th event, that event shows the sum for the x host, including the bytes for the REBOOT action. The sum of the bytes is reset for both the y and x hosts in the next events.

Applying a count to each event

You can apply a running count to your search results, which is useful when combined with other commands.

...| streamstats count()

The output looks like this:

host action bytes count
x 100 LOGON 1
y APP_START 200 2
x FILE_DOWNLOAD 400 3
x REBOOT 50 4
y LOGON 150 5
x LOGON 100 6

See also

streamstats command
streamstats command syntax details
streamstats command usage
streamstats command examples
Functions
Overview of SPL2 stats and chart functions
Last modified on 31 January, 2024
stats command examples   streamstats command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters