Splunk Search

How can I break out streamstats into multiple groups?

bandit
Motivator

I'm wanting to group streamstats results by either one or two fields. Grouping by sourcetype would be sufficient. Grouping by index and sourcetype would be ideal.

This query works fine for a single sourcetype, however does not work for multiple sourcetypes.

The desired outcome is one record per unique sourcetype and/or index.

Example query:

| tstats count as event_count where index="aws_p" sourcetype="aws:cloudwatch:guardduty" by _time span=1m index sourcetype
| sort _time
| streamstats window=1 current=false sum(event_count) as event_count values(_time) as prev_time by index sourcetype
| eval duration=_time-prev_time
| eval minutes_between_events=duration/60
| stats min(minutes_between_events) as min_minutes_between_events avg(minutes_between_events) as avg_minutes_between_events max(minutes_between_events) as max_minutes_between_events by index sourcetype
| eval avg_minutes_between_events=round(avg_minutes_between_events,0)
| eval max_hours_between_events=round(max_minutes_between_events/60,2)

results for multiple sourcetypes

bandit_0-1669926850213.png

results for a single sourcetype

bandit_0-1669926467233.png

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

When using streamstats + window and a by clause, you need to specify global flag

| streamstats window=1 global=false current=false sum(event_count) as event_count values(_time) as prev_time by index sourcetype

View solution in original post

bandit
Motivator

Thanks for the help @bowesmana - much appreciated!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

When using streamstats + window and a by clause, you need to specify global flag

| streamstats window=1 global=false current=false sum(event_count) as event_count values(_time) as prev_time by index sourcetype

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...