Solved: Why is streamstats "reset_on_change=true" is not w...

sathiyasun · ‎02-03-2017

so here is my search :

index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210* 
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count

Current result :

_time                               de39_response_code  Error_Count count
2017-01-30 09:57:26.505           05                    true           1
2017-01-30 09:56:37.142           05                    true           2
2017-01-30 09:55:52.728           05                    true           3
2017-01-30 09:55:40.469           05                    true           4
2017-01-30 09:49:19.215           00                    false         1
2017-01-30 09:49:10.167           05                    true           5
2017-01-30 09:42:49.599           05                    true           6
2017-01-30 09:30:32.162           05                    true           7
2017-01-30 09:54:41.951           05                    true           8

So when i am trying to use the command : reset_on_change=true its give me error invalid argument and doesn't reset the count

Expected result :

index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210* 
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count reset_on_change=true


_time                               de39_response_code  Error_Count count
2017-01-30 09:57:26.505           05                    true           1
2017-01-30 09:56:37.142           05                    true           2
2017-01-30 09:55:52.728           05                    true           3
2017-01-30 09:55:40.469           05                    true           4
2017-01-30 09:49:19.215           00                    false         1
2017-01-30 09:49:10.167           05                    true           1
2017-01-30 09:42:49.599           05                    true           2
2017-01-30 09:30:32.162           05                    true           3
2017-01-30 09:54:41.951           05                    true           4

any help?

rjthibod · ‎02-04-2017

What version of Splunk are you running? That option was added in 6.4.

View solution in original post

aaraneta_splunk · ‎02-23-2017

@sathiyasun - Did upgrading your Splunk instance help resolve your issue? If yes, please don't forget to resolve this post by clicking on "Accept" below the best answer and upvoting any comments that were helpful. If you still need more help, please provide a comment with some feedback. Thanks!

rjthibod · ‎02-04-2017

What version of Splunk are you running? That option was added in 6.4.

sathiyasun · ‎02-06-2017

I guess that is the issue.. I am using Splunk 6.3.1.. Thanks. Let me try to upgrade it and see if that works for me .

gokadroid · ‎02-03-2017

I tried with sreamstats and you SPL seems to work fine with that argument in my local which is Splunk 6.5.x.
Infact the error that you are reporting shall come for following:

Error in 'eventstats' command: The argument 'reset_on_change=true' is invalid.

Error in 'stats' command: The argument 'reset_on_change=true' is invalid.

Error in 'sistats' command: The argument 'reset_on_change=true' is invalid.

Error in 'tstats' command: Invalid argument: 'reset_on_change=true'

sathiyasun · ‎02-06-2017

I am using Splunk 6.3.1.. do you think that could be an issue here ?

gokadroid · ‎02-06-2017

yes, that is the issue!! 6.4.x or higher is what's needed.

Why is streamstats "reset_on_change=true" is not working?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life