What happened to my bytes field? Also explained in the documentation is the anatomy of a search.
Sourcetype=access_combined* | head 5 | stats sum(bytes) as ASimpleSumOfBytes by clientip | table bytes, ASimpleSumOfBytes, clientip This is wonderful and easy, but what if one wishes to build on this and is interested in aggregating the original byte count (or any other related field) in a table such as this: Splunk computes the statistics, in this case “sum” and puts them in a table along with the relevant client IP addresses.
#SPLUNK TSTATS COMMAND MANUAL#
To understand what happened with the above search take a look at the “ search pipeline” section of the Search Manual in the Splunk documentation and pay attention to intermediate tables, as well as the different types of search commands. Sourcetype=access_combined* | head 5 | stats sum(bytes) as ASimpleSumOfBytes by clientip In addition, I’ll make it easy to find alphabetically, I’ll prefix it with an “A”. I’ll also rename the result to be “ASimpleSumOfBytes” so that it stands out. Using the stats command and the sum function, I can compute the sum of the bytes for each clientip. Right now we are just interested in the number of bytes per clientip. Splunk users will notice the raw log events in the results area, as well as a number of fields (in addition to bytes and clientip) listed in a column to the left on the screen shot above. The fields (and values of those fields) of interest are as follows: To begin, do a simple search of the web logs in Splunk and look at 5 events and the associated byte count related to two ip addresses in the field clientip. So let’s look at a simple search command that sums up the number of bytes per IP address from some web logs. There are also a number of statistical functions at your disposal, avg(), count(), distinct_count(), median(), perc(), stdev(), sum(), sumsq(), etc.
If called with a by-clause, one row is produced for each distinct value of the by-clause. If called without a by clause, one row is produced, which represents the aggregation over the entire incoming result set.
Per the Splunk documentation:Ĭalculate aggregate statistics over the dataset, similar to SQL aggregation. (If you’re cool with stats, scroll on down to eventstats or streamstats.)Īs the name implies, stats is for statistics. In an effort to keep it simple, I’ll limit the data of interest to five (5) events with the head command. I will take a very basic, step-by-step approach by going through what is happening with the stats command, and then expand on that example to show how stats differs from eventstats and streamstats. Reference documentation links are included at the end of the post. Stats typically gets a lot of use, but I’ll use it to set the stage for eventstats and streamstats which don’t get as much use. In this blog post, I will attempt, by means of a simple web log example, to illustrate how the variations on the stats command work, and how they are different. When you dive into Splunk’s excellent documentation, you will find that the stats command has a couple of siblings - eventstats and streamstats. Hopefully this will help advance some folks beyond “super grep” as well as assist those who may be new to Splunk. They just use Splunk to search (happily I might add) for keywords and phrases over many sources of machine data. It never ceases to amaze me how many Splunkers are stuck in the “super grep” stage. Putting eval aside for another blog post, let’s examine the stats command. When I first joined Splunk, like many newbies I needed direction on where to start. Getting started with stats, eventstats and streamstats
0 kommentar(er)
