Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you help me with a query using the streamstats...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zacksoft
Contributor
12-21-2018
06:26 AM
Here is how events are,
2018-12-20T13:38:07.938-0500: 28658.929: [**Dull BC** (Allocation Failure)
2018-12-20T13:38:12.764-0500: 28663.756: [SoftReference, 410050 refs, 0.1673385 secs
2018-12-20T13:38:12.932-0500: 28663.923: [WeakReference, 117939 refs, 0.0132928 secs]
2018-12-20T13:38:12.945-0500: 28663.936: [FinalReference, 476 refs, 0.0002134 secs]
2018-12-20T13:38:12.945-0500: 28663.937: [PhantomReference, 658 refs, 789 refs, 0.0002301 secs]
2018-12-20T13:38:12.945-0500: 28663.937: [JNI Weak Reference, 0.0005271 secs]
17G->7032M(18G), **16.4882875** secs]
I am hoping streamstats would be able to help me with the following requirement,
If splunk search encounters the keyword 'Dull BC', then the control should jump to the next 5th event/sentence/line and fetch the value '16.2882857' for me.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whrg
Motivator
12-21-2018
08:48 AM
Hello @zacksoft,
You could use the streamstats command like this:
your base search
| streamstats count reset_after="("like(_raw,\"%Dull BC%\")")"
| search count=5
However, you will notice a minor glitch with this command: If the the first couple of lines do not contain "Dull BC" then the fifth line will have a count of 5 regardless.
Perhaps you could also use the transaction command:
your base search | sort -_time
| transaction startswith="**Dull BC**" endswith="JNI Weak Reference" maxevents=6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whrg
Motivator
12-21-2018
08:48 AM
Hello @zacksoft,
You could use the streamstats command like this:
your base search
| streamstats count reset_after="("like(_raw,\"%Dull BC%\")")"
| search count=5
However, you will notice a minor glitch with this command: If the the first couple of lines do not contain "Dull BC" then the fifth line will have a count of 5 regardless.
Perhaps you could also use the transaction command:
your base search | sort -_time
| transaction startswith="**Dull BC**" endswith="JNI Weak Reference" maxevents=6
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zacksoft
Contributor
12-24-2018
06:20 AM
Thank you.
The transaction command does the job, but I see anomaly.
sometimes maxevents = 6 shows the lines but mazevents = 9 doesn't.
It's strange..
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
