Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

audherma
Engager
‎09-08-2016 07:19 AM

Hi,
I try to use the function reset_after="("<'eval-expression'>")" of the command streamchart but it didn't work. I want to use this function when the field "description" contains "session is closed". I tried a lot of code, like this one:

|streamstats reset_after="("eval(description="session is closed")")" last(beam_number) as "beam"

but splunk always says "Error in 'streamstats' command: The expression is malformed. Expected )." I don't know how I have to write that?
Thanks for the help

Tags (1)
Reply

niketn
Legend
‎12-26-2016 10:04 PM

You would need to escape quotes inside match() evaluation function. Use backslash (\) for the same

|streamstats reset_after="("match(description,\"session is closed\")")" last(beam_number) as "beam"

OR 

|streamstats reset_after="("description==\"session is closed\"")" last(beam_number) as "beam"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎12-27-2016 09:48 PM

Whatever expression you put inside reset_after="("")" should be
1) a valid eval statement
2) returning only true or false.
3) Only if the eval expression returns true the stats will reset.

I have tried both conditions and they work just fine

reset_after="("0==0")"

and 

reset_after="("\"0\"==\"0\"")"

Following are couple of examples which should always work:

Example 1: Reset count after every event i.e. 0==0

|gentimes start=12/01/2016 end=12/10/2016
| eval testCount=1
| accum testCount
| eval flag=if(0==0,"Reset Counter","Increment Counter")
| sort _time
| streamstats count as Count reset_after="("0==0")" 
| table starthuman testCount flag Count

Example 2: Reset count after every alternate event i.e. even events i.e Modular division by 2 (testCount%2)

| gentimes start=12/01/2016 end=12/10/2016
| eval testCount=1
| accum testCount
| eval flag=if(testCount%2=0,"Reset Counter","Increment Counter")
| sort _time
| streamstats count as Count reset_after="("testCount%2=0")" 
| table starthuman testCount flag Count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

tdime
Explorer
‎12-28-2016 06:49 AM

@niketn - I confirmed this does work as you described while testing in 6.5, whoever reset_after does not seem to work in 6.3. After reviewing the documentation, "reset_after" was introduced in 6.4.

0 Karma
Reply

niketn
Legend
‎12-28-2016 09:21 AM

Are you using Splunk 6.3?
Yes you are right reset_before reset_after and reset_on_change were introduced from 6.4.0 onward.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

audherma
Engager
‎09-09-2016 12:06 AM

Hi,
I had already tried this, and I've just tried again, but it didn't work, Splunk's answer is always the same...

0 Karma
Reply

somesoni2
Revered Legend
‎09-08-2016 08:30 AM

Try like this

|streamstats reset_after="("description="session is closed"")" last(beam_number) as "beam"

OR

|streamstats reset_after="("match(description,"session is closed")")" last(beam_number) as "beam"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...