Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is streamstats resetting incorrectly twice in the dataset when it should not be?

DigitalBibleSoc
New Member
‎02-08-2018 03:46 PM

Hey all, we are having a bit of trouble with the streamstats command, as the title indicates. The following code returns an uninterrupted descending count in the variable "test", when the reset_before param checks for a value which never can exist ("bar"): 

| from datamodel:"cdnlogic" | streamstats global=f window=2 current=t latest(_time) AS latest_time earliest(_time) AS earliest_time BY logic_uid | eval logic_time_difference = 'latest_time' - 'earliest_time' | eval logic_time_difference = if('logic_time_difference' >= 1200, "foo", 'logic_time_difference') | streamstats global=f window=0 current=t reset_before=("logic_time_difference == \"bar\"") count AS test BY logic_uid  | table logic_time_difference,test

returning:

diff   test
0   1
961 2
5   3
418 4
407 5
20  6
23  7
1   8
foo 9
1   10
1   11
8   12
1   13
3   14
3   15
1   16
3   17
1   18
6   19
1   20

However, when reset_before is changed to look for "foo" instead of "bar", it resets the count incorrectly twice in the dataset I am testing with:

| from datamodel:"cdnlogic" | streamstats global=f window=2 current=t latest(_time) AS latest_time earliest(_time) AS earliest_time BY logic_uid | eval logic_time_difference = 'latest_time' - 'earliest_time' | eval logic_time_difference = if('logic_time_difference' >= 1200, "foo", 'logic_time_difference') | streamstats global=f window=0 current=t reset_before=("logic_time_difference == \"foo\"") count AS test BY logic_uid  | table logic_time_difference,test

returns:

diff   test
0   1
961 1 <-- ?
5   2
418 3
407 1 <-- ?
20  2
23  3
1   4
foo 1 <-- good
1    2
1   3
8   4
1   5
3   6
3   7
1   8
3   9
1   10
6   11
1   12

Any guidance on this issue, as well as consolidating the statement, is welcome.

0 Karma
Reply

493669
Super Champion
‎02-08-2018 06:21 PM

It seems due to logic_uid it getting reset abruptly, so try streamstats without BY clause

| from datamodel:"cdnlogic" | streamstats global=f window=2 current=t latest(_time) AS latest_time earliest(_time) AS earliest_time BY logic_uid | eval logic_time_difference = 'latest_time' - 'earliest_time' | eval logic_time_difference = if('logic_time_difference' >= 1200, "foo", 'logic_time_difference') | streamstats global=f window=0 current=t reset_before=("logic_time_difference == \"foo\"") count AS test   | table logic_time_difference,test
0 Karma
Reply

DigitalBibleSoc
New Member
‎02-08-2018 08:02 PM

Unfortunately, that causes it to count the instances of ALL "logic_uid"'s together:

diff    test
0      3
961    13
5      14
418 22
407 4
20  5
23  6
1   7
foo 1
1   2
1   3
8   4
1   5
3   6
3   7
1   8
3   10
1   11
6   12
1   13

Ideally, a single streamstats statement would make the most sense. Sadly, we haven't been able to figure out a way.

0 Karma
Reply

493669
Super Champion
‎02-08-2018 08:13 PM

have a look at this answer https://answers.splunk.com/answers/516142/can-streamstats-reset-before-or-reset-after-be-use.html

0 Karma
Reply

DigitalBibleSoc
New Member
‎02-09-2018 08:33 AM

Okay, that answer seems specific to counts. The actual logic we are attempting to accomplish against the dataset is not as simple as a count. In order to make the question easier to illustrate, I changed the more complex (and assumed irrelevant) logic to a count so the table output would make sense. In actuality, we are taking a sum('logic_time_difference') AS logic_time_sum up to the reset point, AND taking the latest('logic_nid') AS logic_nid, replacing the existing 'logic_nid' field of the events inside the series.

0 Karma
Reply

DigitalBibleSoc
New Member
‎02-08-2018 08:20 PM

We did take a look at that before posting this. I'll personally take a closer look at it now/tomorrow and mark as answer if that's the key. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...