Splunk Search
Highlighted

Why is streamstats "reset_on_change=true" is not working?

Explorer

so here is my search :

index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210* 
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count 

Current result :

_time                               de39_response_code  Error_Count count
2017-01-30 09:57:26.505           05                    true           1
2017-01-30 09:56:37.142           05                    true           2
2017-01-30 09:55:52.728           05                    true           3
2017-01-30 09:55:40.469           05                    true           4
2017-01-30 09:49:19.215           00                    false         1
2017-01-30 09:49:10.167           05                    true           5
2017-01-30 09:42:49.599           05                    true           6
2017-01-30 09:30:32.162           05                    true           7
2017-01-30 09:54:41.951           05                    true           8

So when i am trying to use the command : resetonchange=true its give me error invalid argument and doesn't reset the count

Expected result :

index=* sourcetype=xyz source=pp iso_direction="outgoing" *0210* 
| eval Error_Count=if(de39_response_code!=00,"true","false")
| table _time de39_response_code Error_Count
| streamstats count by Error_Count reset_on_change=true


_time                               de39_response_code  Error_Count count
2017-01-30 09:57:26.505           05                    true           1
2017-01-30 09:56:37.142           05                    true           2
2017-01-30 09:55:52.728           05                    true           3
2017-01-30 09:55:40.469           05                    true           4
2017-01-30 09:49:19.215           00                    false         1
2017-01-30 09:49:10.167           05                    true           1
2017-01-30 09:42:49.599           05                    true           2
2017-01-30 09:30:32.162           05                    true           3
2017-01-30 09:54:41.951           05                    true           4

any help?

0 Karma
Highlighted

Re: Why is streamstats "reset_on_change=true" is not working?

Motivator

alt text
I tried with sreamstats and you SPL seems to work fine with that argument in my local which is Splunk 6.5.x.
Infact the error that you are reporting shall come for following:

Error in 'eventstats' command: The argument 'reset_on_change=true' is invalid.

Error in 'stats' command: The argument 'reset_on_change=true' is invalid.

Error in 'sistats' command: The argument 'reset_on_change=true' is invalid.

Error in 'tstats' command: Invalid argument: 'reset_on_change=true'

0 Karma
Highlighted

Re: Why is streamstats "reset_on_change=true" is not working?

Explorer

I am using Splunk 6.3.1.. do you think that could be an issue here ?

0 Karma
Highlighted

Re: Why is streamstats "reset_on_change=true" is not working?

Motivator

yes, that is the issue!! 6.4.x or higher is what's needed.

Highlighted

Re: Why is streamstats "reset_on_change=true" is not working?

Champion

What version of Splunk are you running? That option was added in 6.4.

View solution in original post

0 Karma
Highlighted

Re: Why is streamstats "reset_on_change=true" is not working?

Explorer

I guess that is the issue.. I am using Splunk 6.3.1.. Thanks. Let me try to upgrade it and see if that works for me .

0 Karma
Highlighted

Re: Why is streamstats "reset_on_change=true" is not working?

Splunk Employee
Splunk Employee

@sathiyasun - Did upgrading your Splunk instance help resolve your issue? If yes, please don't forget to resolve this post by clicking on "Accept" below the best answer and upvoting any comments that were helpful. If you still need more help, please provide a comment with some feedback. Thanks!

0 Karma