Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to get a running total using the streamstats command in my search?

ra01
Path Finder
‎05-23-2016 11:47 AM

When I try the search to create a running total out of the streamstats documentation, it doesn't work. Nothing changes when I add/remove the streamstats part at the end:

For reference:

... | timechart span=1h sum(value) as total by category | streamstats global=f sum(total) as accu_total

http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/streamstats

When I try:

| transaction uid mvlist=f keepevicted=t maxpause=5m
| eval didco = if(match(url, "/checkout/order"), 1, 0 ) 
| timechart span=15m sum(didco) as total  by experienceId_1
| streamstats global=f sum(total) as accu_total

I get the same result if I add/remove the streamstats line. I get rows with each time break, and two columns for the two different "experienceId_1" values, but no running total.

UPDATE: When I try running this without doing the 'transaction' it runs ok, so it seems like something about the transaction command is not going good.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-23-2016 12:03 PM

After timechart command, there is no field named total (only field available will be _time and one field for each value of category)
Try this instead.

your base search | timechart span=1h sum(value) as total by category | streamstats global=f sum(*) as accu_total_*

OR

  your base search | timechart span=1h sum(value) as total by category | addtotals | accum Total | rename Total as accu_total

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎05-23-2016 12:03 PM

After timechart command, there is no field named total (only field available will be _time and one field for each value of category)
Try this instead.

your base search | timechart span=1h sum(value) as total by category | streamstats global=f sum(*) as accu_total_*

OR

  your base search | timechart span=1h sum(value) as total by category | addtotals | accum Total | rename Total as accu_total
Reply
Solved! Jump to solution

ra01
Path Finder
‎05-23-2016 12:13 PM

that works, but why doesn't the example from the documentation work? The sum(total) bit that you changed is right out of the documentation page.

How'd i get that wrong?

btw, thanks so much for helping me fix this.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-23-2016 12:59 PM

It seems to be documentation's example is incorrect. I've left the comments there for the moderator to see and take action.

0 Karma
Reply
Solved! Jump to solution

ra01
Path Finder
‎05-23-2016 01:24 PM

thanks. I spent way too long trying to figure out what i was doing wrong between the docs and my search string.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...