Splunk software provides a command named streamstats that adds all the cumulative summary statistics to all search results in a streaming or a cumulative manner. This command calculates the statistics for each event when it is observed. As an example, the running total of a specific field can be calculated using this command without any hassles. The value will be calculated as the sum of the values for each processed event until the current event.
The streamstats command is very much similar in comparison with the eventstats command with the only difference being that it uses events before the current event to compute the aggregate statistics that are applied to each event. If there is a need for us to include the current even into the statistical calculations as well, then the expression current = true can be used (which is always the default condition).
The streamstats command is also similar in comparison with the stats command. In streamstats command, the calculation of the summary statistics is performed on all the search results unlike the case with stats command. The stats command will work on a group of results as a whole instead of all search results as such.
This is well described as a statistical aggregation function. We should be using the AS clause to place the result that has been obtained until this point into another new field with a name that you specify or mention. The function can also be applied to an evaluation of an expression (using the eval command), or to any number of field(s).
Let us now look at the theory we have just discussed in the section above in the form of examples and let us understand the nitty gritty details that we might have missed exploring earlier.
Related Page: Splunk Regex Cheatsheet
This example computes the average of a field over the last 10 events. So for each event, we are going to compute the average of the specific field field1 over the last 10 events
…| streamstats avg(field1) window=10
This example computes the average of a field with a specific condition but over the last 10 events as we have discussed earlier.
…| streamstats avg(field1) BY field2 window=10 global=f
This example adds a count field to each event that represents the total number of fields until now, including the recent event too. To be explained in a simpler manner, the count field will count 1 for the first event and 2 for the second event and so on…
This example counts the occurrence of an event within a time window of the specified value. Assuming that the max_stream_window argument that is present in the limits.conf file (which defaults this to 10000 events), the following command will do what is supposed to be done.
…| streamstats count time_window=5m
This example calculates the hourly cumulative totals of category values. This is achieved by using the streamstats command to produce the hourly cumulative totals, let us check the example.
…| timechart span=60min sum(value) as totals BY category | streamstats global=f sum(totals) as accumulated_totals
Related Page: Splunk Eval Commands With Examples
The timechart command which we have discussed earlier buckets the events into a span of 60minutes or 1hour and counts the total values of each category available. It also fills the NULL values so that there is nothing missing on this front. Then the actual data is passed to the streamstats command to calculate the accumulated total as per the example’s intent.
In this article, we have tried to take a closer look at how to use the streamstats command and also have understood its functionality with few illustrative examples. We have also seen where this command can find its usage. If you are in need of any other details like the optional parameters to this command, please refer to the official Splunk documentation.