streamstats
Description
Performs statistical operations on streaming data.
Syntax
streamstats <functions-expression> ["," <functions-expression>]
[<by_expression>] [<onchangeExpression>)] [<beforeExpression>] [<afterExpression>] [<windowExpression>]
Required Arguments
At least one function must be used:
<functions-expression>
For the description, see the stats command.
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
<by_expression> | <by_field> ["," <by_field> ...] | Field name(s) for grouping values. | |
<beforeExpression> | reset_before=(<eval-expression>) | false | An eval expression returning a boolean. Resets accumulated statistics before calculating for the current event if the expression is true. |
<afterExpression> | reset_after=(<eval-expression>) | false | An eval expression returning a boolean. Resets accumulated statistics after calculating for the current event if the expression is true. |
<onchangeExpression> | reset_on_change=(<bool>) | false | Resets accumulated statistics if the value of at least one by field changes. |
<windowExpression> | window=(<int>) | 0 (unlimited) | The maximum number of events over which statistics will be calculated. |
Query Examples
Example #1
source server_warnings
| streamstats avg(amount) as stream_avg by server_name
| eventstats avg(amount) as event_avg by server_name
Example #2
| makeresults count=10 shownumbers=true
| streamstats sum(number) as summ reset_after = (number==sqrt(9))
Example #3
source server_warnings
| streamstats avg(amount) as stream_avg, count reset_before = (amount==abs(-16))
Example #4
source server_warnings
| streamstats avg(amount) as stream_avg, count window=3
Example #5
source apps
| streamstats count by action reset_on_change=true reset_before=(computer == "vb.host2")"