Solved: Streamstats count

pranaynanda · ‎08-08-2017

I want a cumulative count of a field that has multiple values. Somehow this isn't working:

base search| streamstats count(State) as dur time_window=1w| timechart sum(dur) by State span=1w

somesoni2 · ‎08-08-2017

Try this (always have span just after timechart command)

base search| timechart span=1w count by State |  streamstats sum(*) as *

somesoni2 · ‎08-08-2017

Try this (always have span just after timechart command)

base search| timechart span=1w count by State |  streamstats sum(*) as *

pranaynanda · ‎08-08-2017

Voila! You're there! Thanks! I expect some admin to convert your comment to the answer! Amazing job! Thank you.

s2_splunk · ‎08-08-2017

And the community expects you to accept the answer, please. 😉

woodcock · ‎08-08-2017

Please explain your use case (your desired ending dataset).

pranaynanda · ‎08-08-2017

something like this does solve my problem as @somesoni2 suggested but I would like to see data split into weeks instead of months:

 base search| timechart count by State span=1w |  streamstats sum(*) as *

somesoni2 · ‎08-08-2017

How about this?

base search| timechart count by State span=1w |  streamstats sum(*) as *

pranaynanda · ‎08-08-2017

this pretty much solves it except that I see the results split into months instead of weeks as desired.

cmerriman · ‎08-08-2017

can you give some example data and expected results? a few more details might make this easier to answer, thanks 🙂

you might need to sort your events before your streamstats since you're doing a time_window.

pranaynanda · ‎08-08-2017

something like this does solve my problem as @somesoni2 suggested but I would like to see data split into weeks instead of months:

 base search| timechart count by State span=1w |  streamstats sum(*) as *

Streamstats count