Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works

audherma
Engager
‎09-08-2016 07:19 AM

Hi,
I try to use the function reset_after="("<'eval-expression'>")" of the command streamchart but it didn't work. I want to use this function when the field "description" contains "session is closed". I tried a lot of code, like this one:

|streamstats reset_after="("eval(description="session is closed")")" last(beam_number) as "beam"

but splunk always says "Error in 'streamstats' command: The expression is malformed. Expected )." I don't know how I have to write that?
Thanks for the help

Tags (1)
Reply

niketn
Legend
‎12-26-2016 10:04 PM

You would need to escape quotes inside match() evaluation function. Use backslash (\) for the same

|streamstats reset_after="("match(description,\"session is closed\")")" last(beam_number) as "beam"

OR 

|streamstats reset_after="("description==\"session is closed\"")" last(beam_number) as "beam"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎12-27-2016 09:48 PM

Whatever expression you put inside reset_after="("")" should be
1) a valid eval statement
2) returning only true or false.
3) Only if the eval expression returns true the stats will reset.

I have tried both conditions and they work just fine

reset_after="("0==0")"

and 

reset_after="("\"0\"==\"0\"")"

Following are couple of examples which should always work:

Example 1: Reset count after every event i.e. 0==0

|gentimes start=12/01/2016 end=12/10/2016
| eval testCount=1
| accum testCount
| eval flag=if(0==0,"Reset Counter","Increment Counter")
| sort _time
| streamstats count as Count reset_after="("0==0")" 
| table starthuman testCount flag Count

Example 2: Reset count after every alternate event i.e. even events i.e Modular division by 2 (testCount%2)

| gentimes start=12/01/2016 end=12/10/2016
| eval testCount=1
| accum testCount
| eval flag=if(testCount%2=0,"Reset Counter","Increment Counter")
| sort _time
| streamstats count as Count reset_after="("testCount%2=0")" 
| table starthuman testCount flag Count
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

tdime
Explorer
‎12-28-2016 06:49 AM

@niketn - I confirmed this does work as you described while testing in 6.5, whoever reset_after does not seem to work in 6.3. After reviewing the documentation, "reset_after" was introduced in 6.4.

0 Karma
Reply

niketn
Legend
‎12-28-2016 09:21 AM

Are you using Splunk 6.3?
Yes you are right reset_before reset_after and reset_on_change were introduced from 6.4.0 onward.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

audherma
Engager
‎09-09-2016 12:06 AM

Hi,
I had already tried this, and I've just tried again, but it didn't work, Splunk's answer is always the same...

0 Karma
Reply

somesoni2
Revered Legend
‎09-08-2016 08:30 AM

Try like this

|streamstats reset_after="("description="session is closed"")" last(beam_number) as "beam"

OR

|streamstats reset_after="("match(description,"session is closed")")" last(beam_number) as "beam"
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...