Splunk Stream

User Manual

Configure Streams to apply aggregation

You can apply aggregation methods for statistical analysis of captured events over specific time intervals. The Splunk Stream groups events into aggregation buckets, with one bucket allocated for each unique collection of Key fields. At the end of the time interval, the Splunk Stream emits an object that represents each bucket.

For example, you can enable aggregation over a 60-second interval, assign Key to the src_ip field, and apply the sum aggregate function to the bytes_in field. Using this information, Splunk Stream creates a bucket for each unique src_ip value it sees, and sums the number of bytes_in over a 60-second interval for each bucket.

Aggregation types

You must set each field that you enable for aggregation to one of the following two aggregation types:

  • Key: Fields that have aggregation type "Key" are used for grouping data into buckets.
  • Aggregated: Fields that have aggregation type "Aggregated" can have one or more aggregate functions applied to them. For a complete list of aggregate functions, see Stream aggregation methods in this manual.

Set up aggregation

  1. In the Configure Streams page, click on the name of your stream.
  2. Under Aggregation, click Yes, every, then enter a time in seconds. This enables Aggregation for the stream and determines the time interval over which data aggregation occurs.
  3. (optional) Under Top Fields, click Yes, only index top, then enter a number.
  4. From the menu, select count or any aggregated field which is configured as the basis for sorting.
  5. Select Enable for each field you want to aggregate.
  6. Select an Aggregation Type for each enabled field.
    • Select Key to use the field for specifying aggregation buckets. A separate bucket is generated for each distinct value of the Key field over the selected time interval.
    • Select Aggregated to enable aggregation for the field. The number of selected aggregate functions appears in parentheses. The sum aggregate function is selected by default.
  7. Click on the number in parentheses (x) to select aggregate functions for a particular field.
  8. Select one or more aggregate functions. Click Save.
  9. Click Save again.

About multiple Key fields

If an aggregate event includes multiple Key fields, Stream looks for unique combinations of values of those fields and creates a separate bucket for each combination.

For example, if you assign Key to the field src_ip and you apply the sum aggregate function to the field bytes_in, then for each time interval, the app creates a bucket for each unique src_ip value that occurs, and sums the number of bytes_in over that interval for each bucket. If you also assign Key to the dest_ip field, the app creates a bucket for each unique pair of src_ip and dest_ip.

For more information, see Stream aggregation methods in this manual.

Last modified on 03 March, 2022
Configure Ephemeral Streams   Configure streams to use content extraction

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters