so here is my search :
index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210*
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count
Current result :
_time de39_response_code Error_Count count
2017-01-30 09:57:26.505 05 true 1
2017-01-30 09:56:37.142 05 true 2
2017-01-30 09:55:52.728 05 true 3
2017-01-30 09:55:40.469 05 true 4
2017-01-30 09:49:19.215 00 false 1
2017-01-30 09:49:10.167 05 true 5
2017-01-30 09:42:49.599 05 true 6
2017-01-30 09:30:32.162 05 true 7
2017-01-30 09:54:41.951 05 true 8
So when i am trying to use the command : reset_on_change=true its give me error invalid argument and doesn't reset the count
Expected result :
index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210*
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count reset_on_change=true
_time de39_response_code Error_Count count
2017-01-30 09:57:26.505 05 true 1
2017-01-30 09:56:37.142 05 true 2
2017-01-30 09:55:52.728 05 true 3
2017-01-30 09:55:40.469 05 true 4
2017-01-30 09:49:19.215 00 false 1
2017-01-30 09:49:10.167 05 true 1
2017-01-30 09:42:49.599 05 true 2
2017-01-30 09:30:32.162 05 true 3
2017-01-30 09:54:41.951 05 true 4
any help?
What version of Splunk are you running? That option was added in 6.4.
@sathiyasun - Did upgrading your Splunk instance help resolve your issue? If yes, please don't forget to resolve this post by clicking on "Accept" below the best answer and upvoting any comments that were helpful. If you still need more help, please provide a comment with some feedback. Thanks!
What version of Splunk are you running? That option was added in 6.4.
I guess that is the issue.. I am using Splunk 6.3.1.. Thanks. Let me try to upgrade it and see if that works for me .
I tried with sreamstats
and you SPL seems to work fine with that argument in my local which is Splunk 6.5.x
.
Infact the error that you are reporting shall come for following:
Error in 'eventstats' command: The argument 'reset_on_change=true' is invalid.
Error in 'stats' command: The argument 'reset_on_change=true' is invalid.
Error in 'sistats' command: The argument 'reset_on_change=true' is invalid.
Error in 'tstats' command: Invalid argument: 'reset_on_change=true'
I am using Splunk 6.3.1.. do you think that could be an issue here ?
yes, that is the issue!! 6.4.x or higher is what's needed.