Splunk® Cloud Services

SPL2 Search Reference

streamstats command syntax details

Syntax

The required syntax is in bold.

streamstats
[<by-clause>]
[current=<bool>]
[<reset-clause>]
[window=<int>]
<aggregation> ...

If you're going to use any of the optional arguments, they must be specified before the <aggregation>.


The AS and BY keywords are displayed in uppercase in the syntax and examples to make the syntax easier to read. You can specify these keywords in uppercase or lowercase.

Required arguments

aggregation
Syntax: <aggregate-function> "("<field>")" [AS <field>] ) ["," <aggregate-function> "("<field>")" [AS <field>] ) ]...
Description: A statistical aggregation function. The function can be applied to an eval expression, or one or more fields. You can specify multiple aggregation functions. Separate each aggregation function with a comma.
By default, the name of the field added to the output is the same as your function. For example, if your search is ... | streamstats avg(bytes) the field name in the output is avg(bytes). Use the AS clause to place the generated result into a new field with a name that you specify, for example ... | streamstats avg(bytes) AS 'avg of bytes'.
The syntax for the <aggregate-function> depends on the function that you use. See Quick Reference for SPL2 Stats and Charting Functions for information about the statistical functions.

Optional arguments

by-clause
Syntax: BY <field-list>
Description: The name of one or more fields to group the results by. The <by-clause> returns one row for each distinct value in the <by-clause> fields. Think of the <by-clause> as a grouping. You cannot use the wildcard character to specify multiple fields with similar names. You must specify each field separately.
Default: If no <by-clause> is specified, the streamstats command returns a running aggregation for each row in the incoming result set.
current
Syntax: current=<boolean>
Description: If set to true, the search includes the given, or current, event in the summary calculations. If set to false, the search uses the field value from the previous event.
Default: true
reset-clause
Syntax: reset [before <eval-expression>] [after <eval-expression>] [onchange]
Description: You can specify one or more reset condition. If multiple conditions are specified, the reset occurs when any of the conditions triggers a reset. See Usage.
Default: No reset is applied to the results.
window
Syntax: window=<integer>
Description: Specifies the number of events to use when computing the statistics. Must be a non-negative number.
Default: 0, which means that all previous and current events are used.

See also

streamstats command
streamstats command overview
streamstats command usage
streamstats command examples
Last modified on 16 May, 2023
streamstats command overview   streamstats command usage

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters