Difference between STREAMSTATS and EVENTSTATS commands in Splunk
Hi everyone !! Here we have come with an interesting topic related to the SPL command. Sometimes you might hear about streamstats and eventstats commands when you are making dashboards in Splunk. So here we are to give you a clear idea about the difference between the streamstats and eventstats commands.
Streamstats Command
Streamstats command computes the aggregate function taking the just previous event of current event and returns statistics result for the each event. For streamstats command indexing order matters with the output. It holds the memory of previous events until it receives a new event. It gives the output inline with the results which is returned by the previous pipe. Below we have given an example :
index=_internal sourcetype=splunkd_ui_access
| table method,status
| dedup method,status
| streamstats sum(status) by method
Result :
Explanation:
In the above query method and status both are existing field names in _internal index and sourcetype name is splunkd_ui_access . We have taken method and status field in a tabular format by table command and by the dedup command we have removed duplicate values from the result set. At last we have taken summation of status field values by method with the help of sum function. For computing the summation we have used streamstats command . You can see in the above image in sum(status) field we are getting the summation values.
Example : For method field value is equal to GET we have taken the summation of status . The result is showing in each of the rows by streaming order . It holds the data until it is getting a new data for GET value. After getting the new value it is performing summation operation .Values are coming in row 1 , row 4,row 5,row 7.
See the sum(status) column
Row 1 – 200
Row 4 – 200 + 304 = 504
Row 5 – 504 + 303 = 807
Row 7 – 807 + 404 = 1211
********************************************************************************
Eventstats Command
Eventstats command computes the aggregate function taking all event as input and returns statistics result for the each event. Unlike streamstats , for eventstats command indexing order doesn’t matter with the output. It looks all events at a time then computes the result . It gives the output inline with the results which is returned by the previous pipe. But values will be same for each of the field values. Below we have given an example :
index=_internal sourcetype=splunkd_ui_access
| table method,status
| dedup method,status
| eventstats sum(status) by method
Result :
Explanation:
In the above query method and status both are existing field names in _internal index and sourcetype name is splunkd_ui_access . We have taken method and status field in a tabular format by table command and by the dedup command we have removed duplicate values from the result set. At last we have taken summation of status field values by method with the help of sum function. For computing the summation we have used eventstats command . You can see in the above image in sum(status) field we are getting the summation .
Example : For method field value is equal to GET we have taken the summation of status. Eventstats command takes the whole value before the pipe as input and computes the summation value . After computing the value it is showing summation value inline with the each row where it is finding method field value is equal to GET.
In the sum(status) field we are getting (200 + 304 + 303 + 404) = 1211 for method field value is equal to GET.
Hope this has helped you for getting clear idea about below topic :
Difference between STREAMSTATS and EVENTSTATS commands in Splunk
Happy Splunking !!
[…] NOTE: Splunk Real-time searches have the advantage of all search functionalities, including advanced ones like transactions,lookups and so on. There are also some search commands that are to be used specifically in conjunction with real-time searches, like streamstats. […]
[…] from replace index and sourcetype name in replacelog. After that we have used count function with streamstats command . So it creates a field called count. In count field you can find numbers as 1,2,3….. and […]