Splunk Search

why per_minute(), per_second() Functions don't work with Stats and streamstats command ??

NPR
Path Finder

i see this in Search Reference manuel
Stats functions options

stats-function
Syntax:avg() | c() | count() | dc() | distinct_count() | first() | last() | list() |
max() | median() | min() | mode() | p<in>() | perc<int>() | per_day() |
per_hour() | per_minute() | per_second() | range() | stdev() | stdevp() |
sum() | sumsq() | values() | var() | varp()

Description:Functions used with the stats command. Each time you
invoke the statscommand, you can use more than one function;
however, you can only use one by clause. For a complete list of stats
functions with descriptions and examples, see "Functions for stats, chart,
and timechart".

but when i run per_minute(), per_second() Functions with Stats and streamstats commands.
it isn't work why ?
any idea?

thank.

0 Karma
1 Solution

stephane_cyrill
Builder

Hi everyone,

at the page 145 in splunk 6.2.2 SearchReference.pdf, where you saw STATS-FUNCTION, as NPR post up there, stats-function there is in the general sense of statistics. all that function are not precisely for STATS COMMAND.

at the end of that paragraph you have a link. "Functions for stats,chart,and timechart" this link redirect us at page 56 of the same document.
There we have a table that list Functions and that commands with which we use them.

It is clearly mention there that functions, per_day(), per_hour(), per_minute(),per_second() are use only with the COMMAND TIMECHART.

SO YOU CAN UNDERSTAND THAT IN SPLUNK FOR THE MOMENT WE DO NOT USE these functions with stats command.

see the manual here:

docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

View solution in original post

chimell
Motivator

Hi NPR
per_second() function is easily applicable to timechart command .Therefore , you can use a subsearch using timechart and per_second() function before use streamstats command.

Mean that you can use timechart and streamstats Or stats command in the same request , you make sure that timechart command come before streamstats or stats command in your request : look at an example

 index="_introspection" | timechart per_second(data.localTime) as X| streamstats current=t global=f window=2 range(X) as X1

you can follow this link for more information

http://answers.splunk.com/answers/228525/how-to-use-the-per-second-function-with-streamstat.html#ans...

NPR
Path Finder

thank but i want with Stats and streamstats command
and thank olso for the link.

0 Karma

stephane_cyrill
Builder

Hi everyone,

at the page 145 in splunk 6.2.2 SearchReference.pdf, where you saw STATS-FUNCTION, as NPR post up there, stats-function there is in the general sense of statistics. all that function are not precisely for STATS COMMAND.

at the end of that paragraph you have a link. "Functions for stats,chart,and timechart" this link redirect us at page 56 of the same document.
There we have a table that list Functions and that commands with which we use them.

It is clearly mention there that functions, per_day(), per_hour(), per_minute(),per_second() are use only with the COMMAND TIMECHART.

SO YOU CAN UNDERSTAND THAT IN SPLUNK FOR THE MOMENT WE DO NOT USE these functions with stats command.

see the manual here:

docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

ngatchasandra
Builder

Hi,
I think this is a mistake ! When you execute the commands streamstats and stats with per_minute functions per_second and per_day , splunk does not see them as the functions but as a argrument ! Because this is what is noted when execute the search. Error in 'stats' command: The argument 'per_day(bytes)' is invalid.

But this is work very fine with timechart command because timechart command can split results in time slot. Like follow for example:

index=_internal|timechart per_day(bytes)
0 Karma

NPR
Path Finder

thank but i want with Stats and streamstats command

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...