topic streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works in Splunk Search

streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

audherma — Thu, 08 Sep 2016 14:19:30 GMT

Hi,
I try to use the function reset_after="("<'eval-expression'>")" of the command streamchart but it didn't work. I want to use this function when the field "description" contains "session is closed". I tried a lot of code, like this one:

|streamstats reset_after="("eval(description="session is closed")")" last(beam_number) as "beam"

but splunk always says "Error in 'streamstats' command: The expression is malformed. Expected )." I don't know how I have to write that?
Thanks for the help

Re: streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

somesoni2 — Thu, 08 Sep 2016 15:30:34 GMT

Try like this

|streamstats reset_after="("description="session is closed"")" last(beam_number) as "beam"

|streamstats reset_after="("match(description,"session is closed")")" last(beam_number) as "beam"

Re: streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

audherma — Fri, 09 Sep 2016 07:06:48 GMT

Hi,
I had already tried this, and I've just tried again, but it didn't work, Splunk's answer is always the same...

Re: streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

niketn — Tue, 27 Dec 2016 06:04:20 GMT

You would need to escape quotes inside match() evaluation function. Use backslash (\) for the same

|streamstats reset_after="("match(description,\"session is closed\")")" last(beam_number) as "beam"

|streamstats reset_after="("description==\"session is closed\"")" last(beam_number) as "beam"

Re: streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

niketn — Wed, 28 Dec 2016 05:48:30 GMT

Whatever expression you put inside reset_after="("")" should be
1) a valid eval statement
2) returning only true or false.
3) Only if the eval expression returns true the stats will reset.

I have tried both conditions and they work just fine

reset_after="("0==0")"

and

reset_after="("\"0\"==\"0\"")"

Following are couple of examples which should always work:

Example 1: Reset count after every event i.e. 0==0

|gentimes start=12/01/2016 end=12/10/2016
| eval testCount=1
| accum testCount
| eval flag=if(0==0,"Reset Counter","Increment Counter")
| sort _time
| streamstats count as Count reset_after="("0==0")" 
| table starthuman testCount flag Count

Example 2: Reset count after every alternate event i.e. even events i.e Modular division by 2 (testCount%2)

| gentimes start=12/01/2016 end=12/10/2016
| eval testCount=1
| accum testCount
| eval flag=if(testCount%2=0,"Reset Counter","Increment Counter")
| sort _time
| streamstats count as Count reset_after="("testCount%2=0")" 
| table starthuman testCount flag Count

Re: streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

tdime — Tue, 29 Sep 2020 12:12:13 GMT

@niketn - I confirmed this does work as you described while testing in 6.5, whoever reset_after does not seem to work in 6.3. After reviewing the documentation, "reset_after" was introduced in 6.4.

Re: streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

niketn — Tue, 29 Sep 2020 12:12:19 GMT

Are you using Splunk 6.3?
Yes you are right reset_before reset_after and reset_on_change were introduced from 6.4.0 onward.