Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to get a running total using the streamstats command in my search?

ra01
Path Finder
‎05-23-2016 11:47 AM

When I try the search to create a running total out of the streamstats documentation, it doesn't work. Nothing changes when I add/remove the streamstats part at the end:

For reference:

... | timechart span=1h sum(value) as total by category | streamstats global=f sum(total) as accu_total

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/streamstats

When I try:

| transaction uid mvlist=f keepevicted=t maxpause=5m
| eval didco = if(match(url, "/checkout/order"), 1, 0 ) 
| timechart span=15m sum(didco) as total  by experienceId_1
| streamstats global=f sum(total) as accu_total

I get the same result if I add/remove the streamstats line. I get rows with each time break, and two columns for the two different "experienceId_1" values, but no running total.

UPDATE: When I try running this without doing the 'transaction' it runs ok, so it seems like something about the transaction command is not going good.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-23-2016 12:03 PM

After timechart command, there is no field named total (only field available will be _time and one field for each value of category)
Try this instead.

your base search | timechart span=1h sum(value) as total by category | streamstats global=f sum(*) as accu_total_*

OR

  your base search | timechart span=1h sum(value) as total by category | addtotals | accum Total | rename Total as accu_total

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-23-2016 12:03 PM

After timechart command, there is no field named total (only field available will be _time and one field for each value of category)
Try this instead.

your base search | timechart span=1h sum(value) as total by category | streamstats global=f sum(*) as accu_total_*

OR

  your base search | timechart span=1h sum(value) as total by category | addtotals | accum Total | rename Total as accu_total
Reply
Solved! Jump to solution

ra01
Path Finder
‎05-23-2016 12:13 PM

that works, but why doesn't the example from the documentation work? The sum(total) bit that you changed is right out of the documentation page.

How'd i get that wrong?

btw, thanks so much for helping me fix this.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-23-2016 12:59 PM

It seems to be documentation's example is incorrect. I've left the comments there for the moderator to see and take action.

0 Karma
Reply
Solved! Jump to solution

ra01
Path Finder
‎05-23-2016 01:24 PM

thanks. I spent way too long trying to figure out what i was doing wrong between the docs and my search string.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...