Splunk Search

Why is streamstats "reset_on_change=true" is not working?

sathiyasun
Explorer

so here is my search :

index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210* 
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count 

Current result :

_time                               de39_response_code  Error_Count count
2017-01-30 09:57:26.505           05                    true           1
2017-01-30 09:56:37.142           05                    true           2
2017-01-30 09:55:52.728           05                    true           3
2017-01-30 09:55:40.469           05                    true           4
2017-01-30 09:49:19.215           00                    false         1
2017-01-30 09:49:10.167           05                    true           5
2017-01-30 09:42:49.599           05                    true           6
2017-01-30 09:30:32.162           05                    true           7
2017-01-30 09:54:41.951           05                    true           8

So when i am trying to use the command : reset_on_change=true its give me error invalid argument and doesn't reset the count

Expected result :

index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210* 
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count reset_on_change=true


_time                               de39_response_code  Error_Count count
2017-01-30 09:57:26.505           05                    true           1
2017-01-30 09:56:37.142           05                    true           2
2017-01-30 09:55:52.728           05                    true           3
2017-01-30 09:55:40.469           05                    true           4
2017-01-30 09:49:19.215           00                    false         1
2017-01-30 09:49:10.167           05                    true           1
2017-01-30 09:42:49.599           05                    true           2
2017-01-30 09:30:32.162           05                    true           3
2017-01-30 09:54:41.951           05                    true           4

any help?

0 Karma
1 Solution

rjthibod
Champion

What version of Splunk are you running? That option was added in 6.4.

View solution in original post

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@sathiyasun - Did upgrading your Splunk instance help resolve your issue? If yes, please don't forget to resolve this post by clicking on "Accept" below the best answer and upvoting any comments that were helpful. If you still need more help, please provide a comment with some feedback. Thanks!

0 Karma

rjthibod
Champion

What version of Splunk are you running? That option was added in 6.4.

0 Karma

sathiyasun
Explorer

I guess that is the issue.. I am using Splunk 6.3.1.. Thanks. Let me try to upgrade it and see if that works for me .

0 Karma

gokadroid
Motivator

alt text
I tried with sreamstats and you SPL seems to work fine with that argument in my local which is Splunk 6.5.x.
Infact the error that you are reporting shall come for following:

Error in 'eventstats' command: The argument 'reset_on_change=true' is invalid.

Error in 'stats' command: The argument 'reset_on_change=true' is invalid.

Error in 'sistats' command: The argument 'reset_on_change=true' is invalid.

Error in 'tstats' command: Invalid argument: 'reset_on_change=true'

0 Karma

sathiyasun
Explorer

I am using Splunk 6.3.1.. do you think that could be an issue here ?

0 Karma

gokadroid
Motivator

yes, that is the issue!! 6.4.x or higher is what's needed.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...