Splunk Search

How to use the per_second function with streamstats?

Skippy
Explorer

I'm trying to use streamstats on Splunk 6.2.2.255606 and the per_second stats-function is killing me. I'm trying to find the delta per second of an incrementing counter. Here's an example using some data from the introspection log.

This one works and gives me the delta between the two events (I need it per second):

index="_introspection"| streamstats current=t global=f window=2 range(data.localTime) as X

but when I try the same thing to get the per_second value Splunk throws an error:

index="_introspection"| streamstats current=t global=f window=2 per_second(data.localTime) as X_per_second

Error in 'streamstats' command: The argument 'per_second(data.localTime)' is invalid.

A work around is to get the time delta and calculate the per_second value using an eval:

index="_introspection" | streamstats current=t global=f window=2 range(data.localTime) as X_range range(_time) as time_delta  | eval X_per_second=X_range/time_delta

but that makes my searches messy and I would really like to use the per_second stats-function if I can.

Has anyone successfully got the streamstats per_second function working? Am I missing something obvious here?

0 Karma

chimell
Motivator

Hi Skippy
As martin_mueller told , per_second() function is easily applicable to timechart command .Therefore , you can use a subsearch use timechart and per_second() function before use streamstats command

martin_mueller
SplunkTrust
SplunkTrust

How can that approach be applied to the question at hand, calculating "per_second(data.localTime)"?

0 Karma

chimell
Motivator

I think that something like this could help him
Please martin_mueller could you help to verify in your side ?
index="_introspection" | timechart per_second(data.localTime) as X| streamstats current=t global=f window=2 range(X) as X1

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

How would you replace streamstats with timechart?

0 Karma

chimell
Motivator

Hi martin_mueller
I say that you can use timechart and streamstats in the same request , you make sure that timechart command come before streamstats : look at an example
... | timechart span=1h sum(value) as total by category | streamstats
global=f sum(total) as accu_total

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

per_second() is only applicable to timechart, see http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions for reference.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...