Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

streamstats vs. tstats

a212830
Champion
‎04-14-2017 08:21 AM

Hi,

I have a customer who is using streamstats to validate data is coming into Splunk. I recommended tstats, and do a count by index/hostname.... Is one approach better than the other? We want to validate that data is coming in a consistent manner, based upon event counts.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-14-2017 08:26 AM

Streamstats is for generating cumulative aggregation on the result and not sure how it was useful to check data is coming to Splunk. The tstats command run on txidx files (metadata) and is lighting faster. So, as long as your check to validate data is coming or not, involves metadata fields or indexed fields, tstats would be the way to go. If you can share the search that customer is using with streamstats, then we can say for sure if tstats can replace that.

View solution in original post

Reply
Solved! Jump to solution

hardikJsheth
Motivator
‎04-14-2017 01:28 PM

If you are looking only for number of events within index, metadata command would be better option.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-14-2017 08:26 AM

If you can use tstats, then definitely do; it is much more efficient to gather your data from indexed metadata than by mining from inside of the events (buckets). This is a no-brainer. The problem is that many things cannot be done with tstats.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-14-2017 08:26 AM

Streamstats is for generating cumulative aggregation on the result and not sure how it was useful to check data is coming to Splunk. The tstats command run on txidx files (metadata) and is lighting faster. So, as long as your check to validate data is coming or not, involves metadata fields or indexed fields, tstats would be the way to go. If you can share the search that customer is using with streamstats, then we can say for sure if tstats can replace that.

Reply
Solved! Jump to solution

a212830
Champion
‎04-14-2017 08:28 AM 
index=euc_network90 sourcetype=era_full_syslog host=myhost |streamstats count|timechart span=1d sum(count)
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-14-2017 08:32 AM

Ohh yeah.. You can use tstats for this. Like this

| tstats count WHERE index=euc_network90 sourcetype=era_full_syslog host=myhost by _time span=1d | accum count

Not sure if the streamstats was used correctly there.

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎04-14-2017 08:50 AM

Right, I use tstats. Trying to explain the different to my customer and why their search isn't correct and what is it actually reporting. Not quite sure...

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-14-2017 09:04 AM

Here is how the streamstats is working (just sample data, adding a table command for better representation).

index=euc_network90 sourcetype=era_full_syslog host=myhost | table _time |streamstats count

This will generate data like this

_time count
xxxxxx 1
xxxxxx 2
xxxxxx 3
xxxxxx 4
....

Adding timechart would actually add this serial number values and would give wrong/much higher count (instead of getting 4 as the event count, the result would show 10).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...