The reset occurs again between the 4th and 5th rows. | streamstats reset onchange sum(bytes) AS total_bytes BY hostīecause the value of the host changes between the 2nd and 3rd rows, the total_bytes is reset in the 3rd row. To reset the aggregation whenever any of the fields specified in the clause change, use the reset onchange condition.Ĭontinuing with the previous example, you would use this syntax: If the reset before clause is used instead, the results would be this: The sum of the bytes is reset for both the y and x hosts in the next events. When the reset after clause action="REBOOT" occurs in the 4th event, that event shows the sum for the x host, including the bytes for the REBOOT action. The total_bytes field accumulates a sum of the bytes so far for each host. The running total resets each time an event satisfies the action="REBOOT"criteria. The streamstats command calculates a running total of the bytes for each host into a field called total_bytes. | streamstats reset after action="REBOOT" sum(bytes) AS total_bytes BY hostīecause the value in the action field is a string literal, the value needs to be enclosed in double quotation marks. You can use the reset after argument to accomplish this. However, when the system reboots you want the calculation for the total bytes to begin again. You want to calculate the total bytes for each host. Suppose that you have the following data: The reset before clause resets the aggregation in the search result in which the condition occurs. The reset after clause resets the aggregation in the next search result after the condition occurs. You can reset before something occurs, after something occurs, and when the values in the field changes. There are several ways to reset the aggregations. Streamstats command usage Resetting the aggregations
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |