Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why per_minute(), per_second() Functions don't work with Stats and streamstats command ??

NPR
Path Finder
‎04-18-2015 09:16 AM

i see this in Search Reference manuel
Stats functions options

stats-function
Syntax:avg() | c() | count() | dc() | distinct_count() | first() | last() | list() |
max() | median() | min() | mode() | p<in>() | perc<int>() | per_day() |
per_hour() | per_minute() | per_second() | range() | stdev() | stdevp() |
sum() | sumsq() | values() | var() | varp()

Description:Functions used with the stats command. Each time you
invoke the statscommand, you can use more than one function;
however, you can only use one by clause. For a complete list of stats
functions with descriptions and examples, see "Functions for stats, chart,
and timechart".

but when i run per_minute(), per_second() Functions with Stats and streamstats commands.
it isn't work why ?
any idea?

thank.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-18-2015 02:48 PM

Hi everyone,

at the page 145 in splunk 6.2.2 SearchReference.pdf, where you saw STATS-FUNCTION, as NPR post up there, stats-function there is in the general sense of statistics. all that function are not precisely for STATS COMMAND.

at the end of that paragraph you have a link. "Functions for stats,chart,and timechart" this link redirect us at page 56 of the same document.
There we have a table that list Functions and that commands with which we use them.

It is clearly mention there that functions, per_day(), per_hour(), per_minute(),per_second() are use only with the COMMAND TIMECHART.

SO YOU CAN UNDERSTAND THAT IN SPLUNK FOR THE MOMENT WE DO NOT USE these functions with stats command.

see the manual here:

docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

View solution in original post

Reply
Solved! Jump to solution

chimell
Motivator
‎04-19-2015 05:43 AM

Hi NPR
per_second() function is easily applicable to timechart command .Therefore , you can use a subsearch using timechart and per_second() function before use streamstats command.

Mean that you can use timechart and streamstats Or stats command in the same request , you make sure that timechart command come before streamstats or stats command in your request : look at an example

 index="_introspection" | timechart per_second(data.localTime) as X| streamstats current=t global=f window=2 range(X) as X1

you can follow this link for more information

http://answers.splunk.com/answers/228525/how-to-use-the-per-second-function-with-streamstat.html#ans...

Reply
Solved! Jump to solution

NPR
Path Finder
‎04-19-2015 05:52 AM

thank but i want with Stats and streamstats command
and thank olso for the link.

0 Karma
Reply
Solved! Jump to solution
Solution

stephane_cyrill
Builder
‎04-18-2015 02:48 PM

Hi everyone,

at the page 145 in splunk 6.2.2 SearchReference.pdf, where you saw STATS-FUNCTION, as NPR post up there, stats-function there is in the general sense of statistics. all that function are not precisely for STATS COMMAND.

at the end of that paragraph you have a link. "Functions for stats,chart,and timechart" this link redirect us at page 56 of the same document.
There we have a table that list Functions and that commands with which we use them.

It is clearly mention there that functions, per_day(), per_hour(), per_minute(),per_second() are use only with the COMMAND TIMECHART.

SO YOU CAN UNDERSTAND THAT IN SPLUNK FOR THE MOMENT WE DO NOT USE these functions with stats command.

see the manual here:

docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

Reply
Solved! Jump to solution

ngatchasandra
Builder
‎04-18-2015 10:52 AM

Hi,
I think this is a mistake ! When you execute the commands streamstats and stats with per_minute functions per_second and per_day , splunk does not see them as the functions but as a argrument ! Because this is what is noted when execute the search. Error in 'stats' command: The argument 'per_day(bytes)' is invalid.

But this is work very fine with timechart command because timechart command can split results in time slot. Like follow for example:

index=_internal|timechart per_day(bytes)
0 Karma
Reply
Solved! Jump to solution

NPR
Path Finder
‎04-19-2015 05:50 AM

thank but i want with Stats and streamstats command

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...