Splunk Search

How can I break out streamstats into multiple groups?

bandit
Motivator

I'm wanting to group streamstats results by either one or two fields. Grouping by sourcetype would be sufficient. Grouping by index and sourcetype would be ideal.

This query works fine for a single sourcetype, however does not work for multiple sourcetypes.

The desired outcome is one record per unique sourcetype and/or index.

Example query:

| tstats count as event_count where index="aws_p" sourcetype="aws:cloudwatch:guardduty" by _time span=1m index sourcetype
| sort _time
| streamstats window=1 current=false sum(event_count) as event_count values(_time) as prev_time by index sourcetype
| eval duration=_time-prev_time
| eval minutes_between_events=duration/60
| stats min(minutes_between_events) as min_minutes_between_events avg(minutes_between_events) as avg_minutes_between_events max(minutes_between_events) as max_minutes_between_events by index sourcetype
| eval avg_minutes_between_events=round(avg_minutes_between_events,0)
| eval max_hours_between_events=round(max_minutes_between_events/60,2)

results for multiple sourcetypes

bandit_0-1669926850213.png

results for a single sourcetype

bandit_0-1669926467233.png

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

When using streamstats + window and a by clause, you need to specify global flag

| streamstats window=1 global=false current=false sum(event_count) as event_count values(_time) as prev_time by index sourcetype

View solution in original post

bandit
Motivator

Thanks for the help @bowesmana - much appreciated!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

When using streamstats + window and a by clause, you need to specify global flag

| streamstats window=1 global=false current=false sum(event_count) as event_count values(_time) as prev_time by index sourcetype

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...