What this query will do?

harshal94 · ‎03-22-2018

streamstats current=f latest(up) as oldUP by lowername
I am bit confused what will streamstats calculate here?

kamlesh_vaghela · ‎03-22-2018

Hi @harshal94,

In this search streamstats calculating latest value of up field by lowername. Here you will get oldUP as new filed. Here you set current=false & If current=false, the search uses the field value from the previous event.

Please check below doc for more information.

http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Streamstats

cmerriman · ‎03-22-2018

streamstats basically grabs all of the previous events within the set parameters. you are not setting a window to only grab the previous event, or previous 10 events (window=10), so it'll search all previous events. current=f will exclude the current event. it does this for every event in your dataset. so your search will grab the latest seen up value from every event before the current event and add a field called oldUP to the current event, by lowername.
something like this:

up  lowername   oldUP
foo1    bar1    
foo2    bar1    foo1
foo3    bar1    foo2
foo4    bar1    foo3
foo5    bar1    foo4
foo6    bar1    foo5
foo7    bar2    
foo8    bar2    foo7
foo1    bar2    foo8
foo2    bar2    foo1

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Streamstats

What this query will do?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!