Splunk Search

Streamstats count

pranaynanda
Path Finder

I want a cumulative count of a field that has multiple values. Somehow this isn't working:

base search| streamstats count(State) as dur time_window=1w| timechart sum(dur) by State span=1w
0 Karma
1 Solution

somesoni2
Revered Legend

Try this (always have span just after timechart command)

base search| timechart span=1w count by State |  streamstats sum(*) as *

View solution in original post

somesoni2
Revered Legend

Try this (always have span just after timechart command)

base search| timechart span=1w count by State |  streamstats sum(*) as *

View solution in original post

pranaynanda
Path Finder

Voila! You're there! Thanks! I expect some admin to convert your comment to the answer! Amazing job! Thank you.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

And the community expects you to accept the answer, please. 😉

woodcock
Esteemed Legend

Please explain your use case (your desired ending dataset).

0 Karma

pranaynanda
Path Finder

something like this does solve my problem as @somesoni2 suggested but I would like to see data split into weeks instead of months:

 base search| timechart count by State span=1w |  streamstats sum(*) as *
0 Karma

somesoni2
Revered Legend

How about this?

base search| timechart count by State span=1w |  streamstats sum(*) as *

pranaynanda
Path Finder

this pretty much solves it except that I see the results split into months instead of weeks as desired.

0 Karma

cmerriman
Super Champion

can you give some example data and expected results? a few more details might make this easier to answer, thanks 🙂

you might need to sort your events before your streamstats since you're doing a time_window.

0 Karma

pranaynanda
Path Finder

something like this does solve my problem as @somesoni2 suggested but I would like to see data split into weeks instead of months:

 base search| timechart count by State span=1w |  streamstats sum(*) as *
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!