topic Re: How to use Streamstats command with conditions added ? in Splunk Search

How to use Streamstats command with conditions added ?

zacksoft_wf — Thu, 09 Dec 2021 08:51:46 GMT

my tablular output contains columns/fields like,
account_number | colour | team_name | business_unit

I am getting the above output by stats aggregating BY 'account_number'.
Some of the events with the same account_number has null (colour, team_name and business_unit) values. So I used ,
| streamstats last(colour) as colour,
last(team_name ) as team_name ,
last(team_name ) as team_name .
to populate from the previous row values.

I want streamstats to populate the empty fields with the previous row value, "ONLY IF, the previous row "account_number" is same with the current row".

The issue I am getting now is, lets say. I have three rows with account_number value 0001. and if 4th row has account_number is 0002 and has other three fields (colour, team_name and business_unit) empty, it is populating them with the previous 0001 account_number's value , which is incorrect.

Re: How to use Streamstats command with conditions added ?

isoutamo — Thu, 09 Dec 2021 09:01:49 GMT

Hi
have you already try "reset_on_change=true" ?
r. Ismo

Re: How to use Streamstats command with conditions added ?

zacksoft_wf — Thu, 09 Dec 2021 10:17:58 GMT

No, I haven't.

Is this the correct way of using it ?

| streamstats last(colour) as colour,
last(team_name ) as team_name ,
last(team_name ) as team_name
reset_on_change=true

Also, do I have to use the BY clause here ?
BY <the field comparing which I want the reset to be applied, 'account_number' field> ???

Re: How to use Streamstats command with conditions added ?

isoutamo — Thu, 09 Dec 2021 10:29:32 GMT

Yes you should use "BY account_number" to reset those calculations when account number changed.