topic Re: Why is streamstats "reset_on_change=true" is not working? in Splunk Search

Why is streamstats "reset_on_change=true" is not working?

sathiyasun — Tue, 29 Sep 2020 12:43:44 GMT

so here is my search :

index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210* 
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count

Current result :

_time                               de39_response_code  Error_Count count
2017-01-30 09:57:26.505           05                    true           1
2017-01-30 09:56:37.142           05                    true           2
2017-01-30 09:55:52.728           05                    true           3
2017-01-30 09:55:40.469           05                    true           4
2017-01-30 09:49:19.215           00                    false         1
2017-01-30 09:49:10.167           05                    true           5
2017-01-30 09:42:49.599           05                    true           6
2017-01-30 09:30:32.162           05                    true           7
2017-01-30 09:54:41.951           05                    true           8

So when i am trying to use the command : reset_on_change=true its give me error invalid argument and doesn't reset the count

Expected result :

index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210* 
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count reset_on_change=true


_time                               de39_response_code  Error_Count count
2017-01-30 09:57:26.505           05                    true           1
2017-01-30 09:56:37.142           05                    true           2
2017-01-30 09:55:52.728           05                    true           3
2017-01-30 09:55:40.469           05                    true           4
2017-01-30 09:49:19.215           00                    false         1
2017-01-30 09:49:10.167           05                    true           1
2017-01-30 09:42:49.599           05                    true           2
2017-01-30 09:30:32.162           05                    true           3
2017-01-30 09:54:41.951           05                    true           4

any help?

Re: Why is streamstats "reset_on_change=true" is not working?

gokadroid — Sat, 04 Feb 2017 06:47:06 GMT

I tried with sreamstats and you SPL seems to work fine with that argument in my local which is Splunk 6.5.x.
Infact the error that you are reporting shall come for following:

Error in 'eventstats' command: The argument 'reset_on_change=true' is invalid.

Error in 'stats' command: The argument 'reset_on_change=true' is invalid.

Error in 'sistats' command: The argument 'reset_on_change=true' is invalid.

Error in 'tstats' command: Invalid argument: 'reset_on_change=true'

Re: Why is streamstats "reset_on_change=true" is not working?

rjthibod — Sat, 04 Feb 2017 16:06:07 GMT

What version of Splunk are you running? That option was added in 6.4.

Re: Why is streamstats "reset_on_change=true" is not working?

sathiyasun — Mon, 06 Feb 2017 15:15:49 GMT

I am using Splunk 6.3.1.. do you think that could be an issue here ?

Re: Why is streamstats "reset_on_change=true" is not working?

sathiyasun — Mon, 06 Feb 2017 15:19:16 GMT

I guess that is the issue.. I am using Splunk 6.3.1.. Thanks. Let me try to upgrade it and see if that works for me .

Re: Why is streamstats "reset_on_change=true" is not working?

gokadroid — Tue, 07 Feb 2017 02:03:48 GMT

yes, that is the issue!! 6.4.x or higher is what's needed.

Re: Why is streamstats "reset_on_change=true" is not working?

aaraneta_splunk — Fri, 24 Feb 2017 07:03:40 GMT

@sathiyasun - Did upgrading your Splunk instance help resolve your issue? If yes, please don't forget to resolve this post by clicking on "Accept" below the best answer and upvoting any comments that were helpful. If you still need more help, please provide a comment with some feedback. Thanks!