streamstats command: Examples
The following are examples for using the SPL2 streamstats command.
To learn more about the streamstats command, see How the SPL2 streamstats command works.
Many of these examples use the statistical functions. See Overview of SPL2 stats and chart functions.
1. Add a running count to each search result
In the following search, for each search result a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.
| from <dataset> | streamstats count()For example, if your data looks like this:
| host | _time |
|---|---|
| x | 2025-07-16T00:00:00.000Z |
| y | 2025-07-15T00:00:00.000Z |
| x | 2025-07-14T00:00:00.000Z |
| x | 2025-07-13T00:00:00.000Z |
| y | 2025-07-12T00:00:00.000Z |
The output would look like this:
| host | _time | count |
|---|---|---|
| x | 2025-07-16T00:00:00.000Z | 1 |
| y | 2025-07-15T00:00:00.000Z | 2 |
| x | 2025-07-14T00:00:00.000Z | 3 |
| x | 2025-07-13T00:00:00.000Z | 4 |
| y | 2025-07-12T00:00:00.000Z | 5 |
2. Using a <by-clause> to reset the search results count
The following search uses the host field to reset the count. For each search result a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.
| from <dataset> | streamstats count() BY hostFor example, if your data looks like this:
| host | _time |
|---|---|
| x | 2025-07-16T00:00:00.000Z |
| y | 2025-07-15T00:00:00.000Z |
| x | 2025-07-14T00:00:00.000Z |
| x | 2025-07-13T00:00:00.000Z |
| y | 2025-07-12T00:00:00.000Z |
The output would look like this:
| host | _time | count |
|---|---|---|
| x | 2025-07-16T00:00:00.000Z | 1 |
| y | 2025-07-15T00:00:00.000Z | 1 |
| x | 2025-07-14T00:00:00.000Z | 2 |
| x | 2025-07-13T00:00:00.000Z | 3 |
| y | 2025-07-12T00:00:00.000Z | 2 |
3. Specifying reset options
This example performs an aggregation on the bytes field and displays the total number of bytes by host. The total number of bytes are reset when either action="REBOOT" or when the host changes. The reset options must be specified before the aggregation.
...| streamstats reset after action="REBOOT" onchange sum(bytes) AS total_bytes BY host4. Compute an aggregation of a field over a series of events
For each event, compute the average of the bytes field over the last 5 events, including the current event. The window option must be specified before the aggregation.
... | streamstats window=5 avg(bytes)5. Using the streamstats command with other commands
You can use the streamstats command with other commands to create a set events with hourly timestamps. For example, you can use the repeat function, with the eval and streamstats commands to create a set of 5 events with incremental timestamps:
| FROM repeat({}, 5)
| eval _time = now()
| streamstats count()
| eval _time=_time-(count*3600)The results look something like this:
| _time | count |
|---|---|
| 2025-02-25 15:35:14 | 1 |
| 2025-02-25 14:35:14 | 2 |
| 2025-02-25 13:35:14 | 3 |
| 2025-02-25 12:35:14 | 4 |
| 2025-02-25 11:35:14 | 5 |
For more examples like this, see the "Examples" section in the repeat dataset function topic.
See also
streamstats command