Splunk Search

streamstats vs. tstats

a212830
Champion

Hi,

I have a customer who is using streamstats to validate data is coming into Splunk. I recommended tstats, and do a count by index/hostname.... Is one approach better than the other? We want to validate that data is coming in a consistent manner, based upon event counts.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Streamstats is for generating cumulative aggregation on the result and not sure how it was useful to check data is coming to Splunk. The tstats command run on txidx files (metadata) and is lighting faster. So, as long as your check to validate data is coming or not, involves metadata fields or indexed fields, tstats would be the way to go. If you can share the search that customer is using with streamstats, then we can say for sure if tstats can replace that.

View solution in original post

hardikJsheth
Motivator

If you are looking only for number of events within index, metadata command would be better option.

woodcock
Esteemed Legend

If you can use tstats, then definitely do; it is much more efficient to gather your data from indexed metadata than by mining from inside of the events (buckets). This is a no-brainer. The problem is that many things cannot be done with tstats.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Streamstats is for generating cumulative aggregation on the result and not sure how it was useful to check data is coming to Splunk. The tstats command run on txidx files (metadata) and is lighting faster. So, as long as your check to validate data is coming or not, involves metadata fields or indexed fields, tstats would be the way to go. If you can share the search that customer is using with streamstats, then we can say for sure if tstats can replace that.

a212830
Champion
index=euc_network90 sourcetype=era_full_syslog host=myhost |streamstats count|timechart span=1d sum(count)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Ohh yeah.. You can use tstats for this. Like this

| tstats count WHERE index=euc_network90 sourcetype=era_full_syslog host=myhost by _time span=1d | accum count

Not sure if the streamstats was used correctly there.

0 Karma

a212830
Champion

Right, I use tstats. Trying to explain the different to my customer and why their search isn't correct and what is it actually reporting. Not quite sure...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Here is how the streamstats is working (just sample data, adding a table command for better representation).

index=euc_network90 sourcetype=era_full_syslog host=myhost | table _time |streamstats count

This will generate data like this

_time count
xxxxxx 1
xxxxxx 2
xxxxxx 3
xxxxxx 4
....

Adding timechart would actually add this serial number values and would give wrong/much higher count (instead of getting 4 as the event count, the result would show 10).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...