Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I use the output of streamstats in current row, and have it feed back into streamstats for next row?

philtanner
New Member
‎08-08-2018 03:35 AM

I need to calculate a running total, which uses two values from the previous row (one being this calculated total), and adds on a value from this row to create the total. It's slightly hard to explain, but fairly straightforward.

Imagine I have 3 fields, StartCount (never changes), fieldA (always >=0) and fieldB (always <= 0). I need to calculate RunningTotal, where
RunningTotal = <previousRow>RunningTotal - <previousRow>fieldA - <currentRow>fieldB
On the first row, RunningTotal should be set to StartCount

So this is my desired output:

| StartCount | RunningTotal | fieldA | fieldB |    
+------------+--------------+--------+--------+
|         63 |           63 |      8 |     -3 |     <- RunningTotal = StartCount
|         63 |           57 |      6 |     -2 |     <- RunningTotal = 63 - 8 - -2
|         63 |           59 |      2 |     -8 |     <- RunningTotal = 57 - 6 - -8
|         63 |           64 |      6 |     -7 |     <- RunningTotal = 59 - 2 - -7

So this is the SPL I've tried using:

| makeresults count=10 
 | fields- _time
 | eval StartCount = 63
 | eval fieldA = random() % 10
 | eval fieldB = 0-(random() % 10)

 | streamstats current=f window=1 last(fieldA) as prev_fieldA last(RunningTotal) as prev_RunningTotal 
 | eval prev_RunningTotal  = if( isnull(prev_RunningTotal ), StartCount, prev_RunningTotal )

 | eval RunningTotal = if( isnull(prev_fieldA), StartCount, prev_RunningTotal  - prev_fieldA - fieldB )

The problem I have is that prev_RunningTotal never changes, it's always equal to StartCount.

Can I not access previous streamstats outputs within the streamstats? Or is there another way to solve this, when I don't know how many events/rows will be returned to carry out the total operation for?

0 Karma
Reply

DalJeanis
Legend
‎09-18-2018 11:06 AM

Okay, you are thinking about this the wrong way. You are "committing spreadsheet".

The value you want is the running total, right? Which is the net total from EVERYTHING that has gone before.

You will have to figure out what is appropriate to get the initial running balance (Startcount), but the rest is trivial. Calculate the net-addition onto the record, and then use streamstats to calculate the total net running balance for each record.

Here's a run-anywhere example...

| makeresults count=10 

| rename COMMENT as "Put StartCount only on the first record, put updates on all other records"
| streamstats count as recno
| eval  StartCount = case(recno==1,63)
| eval fieldA = case(recno!=1,random() % 10)
| eval fieldB = case(recno!=1,0-(random() % 10))
| fields- _time recno

| rename COMMENT as "Calculate net change"
| eval RunningNet=coalesce(StartCount, (fieldA+fieldB) ,0)

| rename COMMENT as "Calculate running totals"
| streamstats sum(RunningNet) as RunningTotal

When you find yourself stuck in a paradigm like this, it's best to step back a few feet and look at what you started with, rather than what you think you need to use from where your code happens to be. Often, the correct approach in Splunk starts with viewing the incoming events in a different light.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...