The SPL2 streamstats command adds a cumulative statistical value to each search result as each result is processed. For example, you can calculate the running total for a particular field, or compare a value in a search result with a the cumulative value, such as a running average. The streamstats command includes options for resetting the aggregates.
Syntax
The required syntax is in bold.
- streamstats
- [<by-clause>]
- [current=<bool>]
- [<reset-clause>]
- [window=<int>]
- <aggregation> ...
How the SPL2 streamstats command works
Suppose that you have the following data:
| host | action | bytes |
|---|---|---|
| x | LOGON | 100 |
| y | APP_START | 200 |
| x | FILE_DOWNLOAD | 400 |
| x | REBOOT | 50 |
| y | LOGON | 150 |
| x | LOGON | 100 |
You can use the SPL2 streamstats command to calculate and add various statistics to the search results.
Compute a moving average over a series of events
For each event, you can compute the average of the bytes field over the last 3 events, including the current event. Here's the search to use:
... | streamstats window=3 avg(bytes)
The output looks like this:
| host | action | bytes | avg(bytes) |
|---|---|---|---|
| x | LOGON | 100 | 100 |
| y | APP_START | 200 | 150 |
| x | FILE_DOWNLOAD | 400 | 233.33 |
| x | REBOOT | 50 | 216.66 |
| y | LOGON | 150 | 200 |
| x | LOGON | 100 | 100 |
- For the first event, there are no previous events. The value for the
bytesfield is returned. - For the second event, the average is returned from the sum of first and second events.
- For the remaining events, the average is returned from the sum of the current event and the two previous events.
Calculate a value until a trigger resets the calculation
Suppose you want to calculate a running total of the bytes for each host. However, when the system reboots you want the calculation for the total bytes to begin again. You can use the reset after argument to accomplish this. Here's the search to use:
...| streamstats sum(bytes) AS total_bytes BY host reset after action="REBOOT"
Because the value in the action field is a string literal, the value needs to be enclosed in double quotation marks.
The running total appears in the total_bytes field. The running total resets each time an event satisfies the action="REBOOT"criteria.
The results look like this:
| host | action | bytes | total_bytes |
|---|---|---|---|
| x | LOGON | 100 | 100 |
| y | APP_START | 200 | 200 |
| x | FILE_DOWNLOAD | 400 | 500 |
| x | REBOOT | 50 | 550 |
| y | LOGON | 150 | 150 |
| x | LOGON | 100 | 100 |
The total_bytes field accumulates a sum of the bytes so far for each host. When the reset after clause action="REBOOT" occurs in the 4th event, that event shows the sum for the x host, including the bytes for the REBOOT action. The sum of the bytes is reset for both the y and x hosts in the next events.
Applying a count to each event
You can apply a running count to your search results, which is useful when combined with other commands.
...| streamstats count()
The output looks like this:
| host | action | bytes | count |
|---|---|---|---|
| x | 100 | LOGON | 1 |
| y | APP_START | 200 | 2 |
| x | FILE_DOWNLOAD | 400 | 3 |
| x | REBOOT | 50 | 4 |
| y | LOGON | 150 | 5 |
| x | LOGON | 100 | 6 |
