Skip to content
SPL // Splunk

Using the streamstats Command

KGI Avatar

Written by: Ellis DeVaney | Last Updated:

May 3, 2024

Originally Published:

January 24, 2024

In the ever-evolving world of data analysis, efficiency and precision are paramount. For businesses, the ability to harness data insights efficiently can make all the difference. If you’ve been looking to supercharge your data analysis within Splunk, you’re in the right place. In this article, we’ll dive into how you can use the powerful Splunk command streamstats to optimize your data analysis.

What is the streamstats Command?

Splunk’s streamstats command is a powerful tool that allows users to perform cumulative statistical calculations on data as individual events are processed. This command is particularly useful for those who want to provide point-in-time summarization, either with ongoing real-time searches or historical trending over complete results sets. 

Benefits of the streamstats Command?

  1. Real-time Analysis: With streamstats processing events in a cumulative manner, new events can provide the latest data on an event, while streamstats calculations factor in the context of past data to the output statistics. 
  2. Cumulative Trending: Basic visualization of data summarizing events over time often provides isolated statistics in defined time bins. Using streamstats to bolster data with cumulative analysis enables the trending of growth over time. 
  3. Preserving events with summary calculations: Unlike the stats command, streamstats allows for the use of statistical aggregation functions without condensing the results set to a condensed summary. This capability, similarly to the eventstats command, enables further logical evaluations or compounded statistical computation on the searched events. 

Use Cases for streamstats

Scenario #1: EDR (Endpoint Detection Response) Rollout Progress

With an ongoing rollout of a new EDR agent, the project lead wants to visualize the increase in the distinct number of hosts reporting CrowdStrike data as the project goes on. The streamstats command is able to explicitly supply a cumulative count of distinct hosts in the logs. Consequently, the visualization can easily be achieved with a timechart command using the new host_count field. 

					index=crowdstrike earliest=-7d 
| streamstats dc(‘falcon_device.hostname’) as host_count 
| timechart span=4h max(host_count) as host_count 

Scenario #2: Alert on Allowed Brute Force Authentication

Using Palo Alto’s pre-defined threat criteria, a simple search can be run as a real-time search to alert on the condition of Brute Force events exceeding a threshold for individual hosts. Using streamstats allows the count of observed threats for comparison to the threshold to increase as events occur. 

					index=palo_alto sourcetype=pan:threat category=”brute-force” action=”allowed” 
| streamstats count as threat_count by dest  
| stats dc(src) as src_count, max(threat_count) as threat_count by dest 
| where threat_count>10 


Splunk’s streamstats command is a game-changing tool for those seeking real-time data analysis, cumulative trending, and flexible data manipulation. With the ability to calculate metrics as data streams through your search results, you can get the following benefits: 

  1. Get immediate insights from your data.
  2. Spot data trends more effectively.
  3. Streamline your data analysis workflows.

As you explore streamstats, keep in mind its various applications, from server performance monitoring to security detections. Practice these use cases to master the potential of streamstats and elevate your data analysis capabilities.

Helpful? Don't forget to share this post!