topic streamstats | reset_after condition not applied within the scope of each user (field) in Splunk Search

streamstats | reset_after condition not applied within the scope of each user (field)

ralam — Sun, 30 Jun 2024 15:29:58 GMT

Hi Team,

What I'm trying to achieve: Find the consecutive failure events followed by a success event.

| makeresults | eval _raw="username,result user1,fail user2,success user3,success user1,fail user1,fail user1,success user2,fail user3,success user2,fail user1,fail" | multikv forceheader=1 | streamstats count(eval(result="fail")) as fail_counter by username,result reset_after="("result==\"success\"")" | table username,result,fail_counter

Outcome: The counter (fail_counter) gets reset for a user (say user1) if the next event is a success event for a different user (say, user2).

username	result	fail_counter
user1	fail	1
user2	success	0
user3	success	0
user1	fail	1	<- counter reset for user1. It should be 2.
user1	fail	2	It should be 3.
user1	success	0
user2	fail	1
user3	success	0
user2	fail	1
user1	fail	1

Expected: The counter should not reset if the success event for user2 follows the failure event for user1.

I would appreciate any help on this. Not sure what I'm missing here.

Re: streamstats | reset_after condition not applied within the scope of each user (field)

ITWhisperer — Sun, 30 Jun 2024 15:50:58 GMT

You could try sorting by username before the streamstats

Re: streamstats | reset_after condition not applied within the scope of each user (field)

PickleRick — Sun, 30 Jun 2024 18:36:54 GMT

The docs on the streamstats command say that "all accumulated statistics" are reset on reset_* options. That would imply that the reset is global, not on a per "by-field(s)" basis.

It could call for docs feedback to make it more explicitly stated.

The practical solution to this you already got from @ITWhisperer 🙂