What Is the streamstats Command?
The streamstats command computes running (cumulative) statistics as it processes each event in order. Unlike eventstats which computes over the entire result set, streamstats builds its calculations progressively — event by event. This makes it perfect for detecting acceleration patterns, computing moving averages, and numbering events sequentially.
Core Syntax
| streamstats [window=<N>] <function>(<field>) AS <alias> [BY <field-list>]The optional window argument limits the calculation to the last N events, enabling moving/sliding window computations.
Security Operations Examples
1. Moving Average for Anomaly Detection
Compute a 24-hour moving average of authentication failures to detect spikes above normal baselines.
index=security sourcetype=WinEventLog:Security EventCode=4625
| timechart span=1h count AS hourly_failures
| streamstats window=24 avg(hourly_failures) AS moving_avg
| eval anomaly = if(hourly_failures > moving_avg * 3, "YES", "NO")
| where anomaly="YES"2. Cumulative Data Exfiltration Tracking
index=network sourcetype=firewall action=allowed
| sort _time
| streamstats sum(bytes_out) AS cumulative_bytes BY src_ip
| eval cumulative_GB = round(cumulative_bytes / 1073741824, 3)
| where cumulative_GB > 53. Event Sequencing — Time Between Failures
Calculate the time gap between consecutive failed logins to detect rapid brute-force attempts.
index=security sourcetype=WinEventLog:Security EventCode=4625
| sort Account_Name _time
| streamstats current=false last(_time) AS prev_time BY Account_Name
| eval gap_seconds = _time - prev_time
| where gap_seconds < 5 AND gap_seconds IS NOT NULL
| table _time Account_Name src_ip gap_seconds4. Numbering Events per Session
index=web sourcetype=access_combined
| sort session_id _time
| streamstats count AS page_number BY session_id
| where page_number > 100Advanced Patterns
Sliding Window Standard Deviation
| streamstats window=50 avg(response_time) AS rolling_avg stdev(response_time) AS rolling_stdev
| eval upper_bound = rolling_avg + (2 * rolling_stdev)
| where response_time > upper_boundRunning Distinct Count
index=security sourcetype=WinEventLog:Security EventCode=4624
| sort _time
| streamstats dc(ComputerName) AS unique_hosts_accessed BY Account_Name
| where unique_hosts_accessed > 10streamstats vs. eventstats
| Feature | eventstats | streamstats |
|---|---|---|
| Scope | Entire result set | Progressive / cumulative |
| Window support | No | Yes (window=N) |
| Order-dependent | No | Yes — relies on event order |
| Best for | Global baselines | Moving averages, running totals, sequences |
Best Practices
- Sort before streamstats — streamstats is order-dependent. Always
| sort _time(or your intended order) before using it. - Use
windowfor moving calculations — Without window, you get cumulative totals. With window, you get sliding window stats. - Combine with
current=false— Excludes the current event from the computation, which is essential for "previous event" comparisons. - Watch performance on large datasets — streamstats processes every event. Filter and constrain time ranges before using it.
Next in the series: The top and rare commands — quick frequency analysis for triage and investigation.
Next in the Rhombic SPL Series → Splunk top and rare Commands