Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- streamstats sum() by not functioning as expected
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
streamstats sum() by not functioning as expected
Hi,
I have the following search, which is attempting to add up the number of dropped and processed syslog messages in each event, based on the field syslog_dest_host:
sourcetype="syslog-stats" | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed
When this is run, however, I see that the sum is being taken over all values of syslog_dest_host in the event, rather than one sum per syslog_dest_host, eg:
host syslog_dest_host syslog_dropped Dest_Syslog_Dropped ...
host1 dest1 1 12
dest2 1
dest2 3
dest1 4
dest1 2
dest2 1
However, what I would like to see is:
host syslog_dest_host syslog_dropped Dest_Syslog_Dropped ...
host1 dest1 1 7
dest2 1 5
dest2 3
dest1 4
dest1 2
dest2 1
Is what I want even possible?
If not, is there a way to filter within the event, such that only the instances of syslog_dest_host and syslog_dropped are returned when syslog_dest_host=host1? I tried adding this to the search string "sourcetype=syslog-stats syslog_dest_host=host1", but because host1 appears somewhere in the event, the entire event is returned.
Rgds,
Brett.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would get out of multivalue-land for this, even if you go back into multivalue fields at the end.
For example:
sourcetype="syslog-stats" | mvexpand syslog_dest_host | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed
If you need to fold it back up the way it was at the end, then do this:
sourcetype="syslog-stats" | streamstats count as rowId | mvexpand syslog_dest_host | streamstats window=1 sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed | stats values(*) as * by rowId
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello bro,
try the below search.
sourcetype="syslog-stats" | streamstats window=1 global=false sum(syslog_dropped) as Dest_Syslog_Dropped, sum(syslog_processed) as Dest_Syslog_Processed by syslog_dest_host | table _time, host, syslog_dest_host, syslog_dropped, Dest_Syslog_Dropped, syslog_processed, Dest_Syslog_Processed
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Splunk MCP & Agentic AI: Machine Data Without Limits
