Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

why is Streamstats not working ?

adityaanand
Explorer
‎06-09-2015 01:28 AM

Hi,

I am trying to find cumulative sum of unique IPAddress by IsManuallyInstalled monthly. IsManuallyInstalled has two values: true and false. So I want cumulative sum of true and false monthly.
I did it this way:

source="D:\\Splunk Data\\RSD Demo\\*" host="PU4D9W0ND02" index="test" sourcetype="RSD_Log"|spath| rex "IPAddress=\"(?<IPAddress>[^\"]*)\" IsManuallyInstalled=\"(?<IsManuallyInstalled>[^\"]*)\"" | dedup IPAddress sortby -_time |timechart span=1mon count(IPAddress) As "MachineCount" by IsManuallyInstalled |streamstats global=f  sum(MachineCount)

But it is not giving the expected result as I supposed streamstats not working. It is giving the same result if I remove:
|streamstats global=f sum(MachineCount).

Please help how can i achieve this?

Regards,
Aditya

Tags (2)
0 Karma
Reply

jacobwilkins
Communicator
‎06-10-2015 06:01 AM

It looks like you want a distinct count, the dc() method...

source="D:\\Splunk Data\\RSD Demo\\*" host="PU4D9W0ND02" index="test" sourcetype="RSD_Log" 
|spath 
| rex "IPAddress=\"(?<IPAddress>[^\"]*)\" IsManuallyInstalled=\"(?<IsManuallyInstalled>[^\"]*)\""  
| timechart span=1mon dc(IPAddress) As "MachineCount" by IsManuallyInstalled

Using dc() lets you get rid of that dedup.

I question the necessity of using both spath and rex, but you know your dataset better than I do.

0 Karma
Reply

jacobwilkins
Communicator
‎06-10-2015 06:08 AM

Oh, and you were looking for accumulations. Yeah. Listen to jeffland

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎06-10-2015 06:16 AM

I also noticed the count/distinct count issue, but then saw the dedup ahead of it which makes dc redundant.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎06-09-2015 05:45 AM

This could be done with a simple stats, such as this:

 source="D:\\Splunk Data\\RSD Demo\\*" host="PU4D9W0ND02" index="test" sourcetype="RSD_Log"|spath| rex "IPAddress=\"(?<IPAddress>[^\"]*)\" IsManuallyInstalled=\"(?<IsManuallyInstalled>[^\"]*)\"" | dedup IPAddress sortby -_time | stats count by IsManuallyInstalled

If you want these results per month:

source="D:\\Splunk Data\\RSD Demo\\*" host="PU4D9W0ND02" index="test" sourcetype="RSD_Log"|spath| rex "IPAddress=\"(?<IPAddress>[^\"]*)\" IsManuallyInstalled=\"(?<IsManuallyInstalled>[^\"]*)\"" | dedup IPAddress sortby -_time | eval month=strftime(_time, "%B") | stats count by IsManuallyInstalled month

Be careful not to run this search over more than a year, or include the year in strftime as well.

0 Karma
Reply

adityaanand
Explorer
‎06-10-2015 04:48 AM

It is not giving cumulative sum.
Suppose in April month false count is 3 and in May false count is 6 then
Result should be like this:
April - 3
May - 9

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎06-10-2015 05:48 AM

Hm, on second thought: your timechart has a by-clause. That means your columns are titled "true" and "false" (or how the results of IsManuallyInstalled are precisely), and you need to work your streamstats on those titles - i.e. 

source="D:\\Splunk Data\\RSD Demo\\*" host="PU4D9W0ND02" index="test" sourcetype="RSD_Log"|spath| rex "IPAddress=\"(?<IPAddress>[^\"]*)\" IsManuallyInstalled=\"(?<IsManuallyInstalled>[^\"]*)\"" | dedup IPAddress sortby -_time |timechart span=1mon count(IPAddress) by IsManuallyInstalled |streamstats sum(true) sum(false)
0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎06-10-2015 05:37 AM

Edit: this is now obsolete.

Ah! I see. Sorry, somehow overlooked the "cumulative" in your question and wondered why you were using streamstats...

In your case, a way to do it would be via accum, something like

source="D:\\Splunk Data\\RSD Demo\\*" host="PU4D9W0ND02" index="test" sourcetype="RSD_Log"|spath| rex "IPAddress=\"(?<IPAddress>[^\"]*)\" IsManuallyInstalled=\"(?<IsManuallyInstalled>[^\"]*)\"" | dedup IPAddress sortby -_time |timechart span=1mon count(IPAddress) As "MachineCount" by IsManuallyInstalled | accum MachineCount as AccumulatedMachineCount
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...