streamstats
Description
Performs statistical operations on streaming data.
Syntax
streamstats <functions-expression> ["," <functions-expression>]
[<by_expression>] [<onchangeExpression>] [<beforeExpression>] [<afterExpression>] [<windowExpression>]
Required Arguments
At least one function must be used:
<functions-expression>
For the description, see the stats command.
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
<by_expression> | <by_field> ["," <by_field> ...] | Field name(s) for grouping values. | |
<beforeExpression> | reset_before=(<eval-expression>) | false | An eval expression returning a boolean. Resets accumulated statistics before calculating for the current event if the expression is true. |
<afterExpression> | reset_after=(<eval-expression>) | false | An eval expression returning a boolean. Resets accumulated statistics after calculating for the current event if the expression is true. |
<onchangeExpression> | reset_on_change=(<boolean>) | false | Resets accumulated statistics if the value of at least one by field changes. |
<windowExpression> | window=(<int>) | 0 (unlimited) | The maximum number of events over which statistics will be calculated. |
Examples
These examples show how streamstats calculates statistics as events are read and how the command's behavior is affected by by, reset_before, reset_after, window, and reset_on_change.
Example 1
In this example, streamstats calculates a running average of amount separately for each server_name, while eventstats adds the total average for the entire group for comparison with the streaming value.
source server_warnings
| streamstats avg(amount) as stream_avg by server_name
| eventstats avg(amount) as event_avg by server_name
Example 2
In this example, the sum summ accumulates by the field number, and when the reset_after condition is met, the statistics are reset after processing the current event.
| makeresults count=10 shownumbers=true
| streamstats sum(number) as summ reset_after = (number==sqrt(9))
Example 3
In this example, the query simultaneously calculates the average and count of events, but when the reset_before condition is met, the accumulated values are reset before processing the current row.
source server_warnings
| streamstats avg(amount) as stream_avg, count reset_before = (amount==abs(-16))
Example 4
In this example, the command uses a sliding window of three most recent events, so statistics are calculated not over the entire history, but only over the nearest records.
source server_warnings
| streamstats avg(amount) as stream_avg, count window=3
Example 5
In this example, the counter is maintained separately by action, resets when the grouping field value changes, and can additionally be reset before counting based on the reset_before condition.
source apps
| streamstats count by action reset_on_change=true reset_before=(computer == "vb.host2")