Splunk Search

why per_minute(), per_second() Functions don't work with Stats and streamstats command ??

NPR
Path Finder

i see this in Search Reference manuel
Stats functions options

stats-function
Syntax:avg() | c() | count() | dc() | distinct_count() | first() | last() | list() |
max() | median() | min() | mode() | p<in>() | perc<int>() | per_day() |
per_hour() | per_minute() | per_second() | range() | stdev() | stdevp() |
sum() | sumsq() | values() | var() | varp()

Description:Functions used with the stats command. Each time you
invoke the statscommand, you can use more than one function;
however, you can only use one by clause. For a complete list of stats
functions with descriptions and examples, see "Functions for stats, chart,
and timechart".

but when i run per_minute(), per_second() Functions with Stats and streamstats commands.
it isn't work why ?
any idea?

thank.

0 Karma
1 Solution

stephane_cyrill
Builder

Hi everyone,

at the page 145 in splunk 6.2.2 SearchReference.pdf, where you saw STATS-FUNCTION, as NPR post up there, stats-function there is in the general sense of statistics. all that function are not precisely for STATS COMMAND.

at the end of that paragraph you have a link. "Functions for stats,chart,and timechart" this link redirect us at page 56 of the same document.
There we have a table that list Functions and that commands with which we use them.

It is clearly mention there that functions, per_day(), per_hour(), per_minute(),per_second() are use only with the COMMAND TIMECHART.

SO YOU CAN UNDERSTAND THAT IN SPLUNK FOR THE MOMENT WE DO NOT USE these functions with stats command.

see the manual here:

docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

View solution in original post

chimell
Motivator

Hi NPR
per_second() function is easily applicable to timechart command .Therefore , you can use a subsearch using timechart and per_second() function before use streamstats command.

Mean that you can use timechart and streamstats Or stats command in the same request , you make sure that timechart command come before streamstats or stats command in your request : look at an example

 index="_introspection" | timechart per_second(data.localTime) as X| streamstats current=t global=f window=2 range(X) as X1

you can follow this link for more information

http://answers.splunk.com/answers/228525/how-to-use-the-per-second-function-with-streamstat.html#ans...

NPR
Path Finder

thank but i want with Stats and streamstats command
and thank olso for the link.

0 Karma

stephane_cyrill
Builder

Hi everyone,

at the page 145 in splunk 6.2.2 SearchReference.pdf, where you saw STATS-FUNCTION, as NPR post up there, stats-function there is in the general sense of statistics. all that function are not precisely for STATS COMMAND.

at the end of that paragraph you have a link. "Functions for stats,chart,and timechart" this link redirect us at page 56 of the same document.
There we have a table that list Functions and that commands with which we use them.

It is clearly mention there that functions, per_day(), per_hour(), per_minute(),per_second() are use only with the COMMAND TIMECHART.

SO YOU CAN UNDERSTAND THAT IN SPLUNK FOR THE MOMENT WE DO NOT USE these functions with stats command.

see the manual here:

docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

ngatchasandra
Builder

Hi,
I think this is a mistake ! When you execute the commands streamstats and stats with per_minute functions per_second and per_day , splunk does not see them as the functions but as a argrument ! Because this is what is noted when execute the search. Error in 'stats' command: The argument 'per_day(bytes)' is invalid.

But this is work very fine with timechart command because timechart command can split results in time slot. Like follow for example:

index=_internal|timechart per_day(bytes)
0 Karma

NPR
Path Finder

thank but i want with Stats and streamstats command

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...