8/13/2023 0 Comments Splunk stats avgFor each unique value in the status field, the results appear on a separate row. The chart command uses the first BY field, status, to group the results. The search returns the following results: status Now let's substitute the chart command for the stats command in the search. Remember the results returned when we used the stats command with two BY fields are: status Using the chart command in the search with two BY fields is where you really see differences. If you specify only one BY field, the results from the stats and chart commands are identical. Using the same basic search, let's compare the results produced by the chart command with the results produced by the stats command. One big advantage of using the stats command is that you can specify more than two fields in the BY clause and create results tables that show very granular statistical calculations. Below is a partial list of the results table that is produced when we add the action field to the BY clause: status You are splitting the rows first on status, then on host, and then on action. In this example, there are five actions that customers can take on our website: addtocart, changequantity, purchase, remove, and view. The fields that you specify in the BY clause of the stats command are referred to as fields. You're splitting the rows first on status, then on host. statusĮach field you specify in the BY clause becomes a separate column in the results table. | stats count BY status, hostĮach unique combination of status and host is listed on a separate row in the results table. For example, we receive events from three different hosts. The count of the events for each unique status code is listed in separate rows in a table on the Statistics tab: statusīasically the field values (200, 400, 403, 404) become row labels in the results table.įor the stats command, fields that you specify in the BY clause group the results based on those fields. We are going to count the number of events for each HTTP status code. You can use uppercase or lowercase in your searches when you specify the BY keyword. Note: The BY keyword is shown in these examples and in the Splunk documentation in uppercase for readability. You can use these three commands to calculate statistics, such as count, sum, and average. A transforming command takes your event data and converts it into an organized results table. These three commands are transforming commands. It wasn't until I did a comparison of the output (with some trial and a whole lotta error) that I was able to understand the differences between the commands. When I first started learning about the Splunk search commands, I found it challenging to understand the benefits of each command, especially how the BY clause impacts the output of a search. The stats, chart, and timechart commands are great commands to know (especially stats). Bin the results based on the _time field.Īlign the bins to the UTC time of 1500567890 for values in the _time field. The bins will represent 3am - 3pm, then 3pm - 3am (the next day), and so on. Align the bins to a specific time and set the span to 12 hour intervals from that time Bin the results based on the amount field.Ĥ. Create bins with a large end value to ensure that all possible values are includedĬreate bins with an end value larger than you need to ensure that all possible values are included. | bin bins=10 size AS bin_size | stats count(_raw) BY bin_sizeģ. Specify a bin size and return the count of raw events for each binīin the search results into 10 bins for the size field and return the count of raw events for each bin. | stats avg(thruput) by span(_time, 5m), host 2. | bin span=5m _time | stats avg(thruput) by _time, hostĪlternative: You can also specify the span directly with the stats command. Return the average "thruput" of each "host" for each 5 minute time span. Return the average for a field for a specific time spanīin the search results using a 5 minute time span on the _time field. To learn more about the bin command, see How the bin command works.ġ. The following are examples for using the SPL2 bin command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |