Splunk Search
Highlighted

Streamstats count

Path Finder

I want a cumulative count of a field that has multiple values. Somehow this isn't working:

base search| streamstats count(State) as dur time_window=1w| timechart sum(dur) by State span=1w
0 Karma
Highlighted

Re: Streamstats count

Super Champion

can you give some example data and expected results? a few more details might make this easier to answer, thanks 🙂

you might need to sort your events before your streamstats since you're doing a time_window.

0 Karma
Highlighted

Re: Streamstats count

Path Finder

something like this does solve my problem as @somesoni2 suggested but I would like to see data split into weeks instead of months:

 base search| timechart count by State span=1w |  streamstats sum(*) as *
0 Karma
Highlighted

Re: Streamstats count

SplunkTrust
SplunkTrust

How about this?

base search| timechart count by State span=1w |  streamstats sum(*) as *
Highlighted

Re: Streamstats count

Path Finder

this pretty much solves it except that I see the results split into months instead of weeks as desired.

0 Karma
Highlighted

Re: Streamstats count

Esteemed Legend

Please explain your use case (your desired ending dataset).

0 Karma
Highlighted

Re: Streamstats count

Path Finder

something like this does solve my problem as @somesoni2 suggested but I would like to see data split into weeks instead of months:

 base search| timechart count by State span=1w |  streamstats sum(*) as *
0 Karma
Highlighted

Re: Streamstats count

SplunkTrust
SplunkTrust

Try this (always have span just after timechart command)

base search| timechart span=1w count by State |  streamstats sum(*) as *

View solution in original post

Highlighted

Re: Streamstats count

Path Finder

Voila! You're there! Thanks! I expect some admin to convert your comment to the answer! Amazing job! Thank you.

0 Karma
Highlighted

Re: Streamstats count

Splunk Employee
Splunk Employee

And the community expects you to accept the answer, please. 😉