Hi,
I try to use the function reset_after="("<'eval-expression'>")" of the command streamchart but it didn't work. I want to use this function when the field "description" contains "session is closed". I tried a lot of code, like this one:
|streamstats reset_after="("eval(description="session is closed")")" last(beam_number) as "beam"
but splunk always says "Error in 'streamstats' command: The expression is malformed. Expected )." I don't know how I have to write that?
Thanks for the help
You would need to escape quotes inside match() evaluation function. Use backslash (\) for the same
|streamstats reset_after="("match(description,\"session is closed\")")" last(beam_number) as "beam"
OR
|streamstats reset_after="("description==\"session is closed\"")" last(beam_number) as "beam"
Whatever expression you put inside reset_after="("")" should be
1) a valid eval statement
2) returning only true or false.
3) Only if the eval expression returns true the stats will reset.
I have tried both conditions and they work just fine
reset_after="("0==0")"
and
reset_after="("\"0\"==\"0\"")"
Following are couple of examples which should always work:
Example 1: Reset count after every event i.e. 0==0
|gentimes start=12/01/2016 end=12/10/2016
| eval testCount=1
| accum testCount
| eval flag=if(0==0,"Reset Counter","Increment Counter")
| sort _time
| streamstats count as Count reset_after="("0==0")"
| table starthuman testCount flag Count
Example 2: Reset count after every alternate event i.e. even events i.e Modular division by 2 (testCount%2)
| gentimes start=12/01/2016 end=12/10/2016
| eval testCount=1
| accum testCount
| eval flag=if(testCount%2=0,"Reset Counter","Increment Counter")
| sort _time
| streamstats count as Count reset_after="("testCount%2=0")"
| table starthuman testCount flag Count
@niketn - I confirmed this does work as you described while testing in 6.5, whoever reset_after does not seem to work in 6.3. After reviewing the documentation, "reset_after" was introduced in 6.4.
Are you using Splunk 6.3?
Yes you are right reset_before reset_after and reset_on_change were introduced from 6.4.0 onward.
Hi,
I had already tried this, and I've just tried again, but it didn't work, Splunk's answer is always the same...
Try like this
|streamstats reset_after="("description="session is closed"")" last(beam_number) as "beam"
OR
|streamstats reset_after="("match(description,"session is closed")")" last(beam_number) as "beam"