Splunk stats count by multiple fields11/29/2023 ![]() ![]() Also, if you want to perform calculations on any of the original fields in your raw events, you need to do that before the stats command. To see more fields other than ASumOfBytes and clientip in the results, you need to include them in the stats command. Sourcetype=access_* | head 10 | stats sum(bytes) as ASumOfBytes by clientip | table bytes, ASumOfBytes, clientip For example, the following search returns empty cells in the bytes column because it is not a result field. The ASumOfBytes and clientip fields are the only fields that exist after the stats command. Sourcetype=access_* | head 10 | stats sum(bytes) as ASumOfBytes by clientip For example, the following search returns a table with two columns (and 10 rows). The stats command works on the search results as a whole and returns only the fields that you specify. The eventstats and streamstats commands are variations on the stats command. The list of statistical functions lets you count the occurrence of a field and calculate sums, averages, ranges, and so on, of the field values.įor the list of statistical functions and how they're used, see "Statistical and charting functions" in the Search Reference. The stats, chart, and timechart commands (and their related commands eventstats and streamstats) are designed to work in conjunction with statistical functions. Read more about visualization features and options in the Visualization Reference of the Data Visualization Manual. The timechart command returns your results formatted as a time-series chart, where your data is plotted against an x-axis that is always a time field. You can decide what field is tracked on the x-axis of the chart. The chart command returns your results in a data structure that supports visualization as a chart (such as a column, line, area, and pie chart). See more about the differences between these commands in the next section. The eventstats command calculates statistics on all search results and adds the aggregation inline to each event for which it is relevant. The streamstats command calculates statistics for each event at the time the event is seen, in a streaming manner. The stats command works on the search results as a whole. The stats, streamstats, and eventstats commands each enable you to calculate summary statistics on the results of a search or the events retrieved from an index. For the list of stats functions, see "Statistical and charting functions" in the Search Reference. ![]() For more information about the stat command and syntax, see the "stats" command in the Search Reference.This topic discusses how to use the statistical functions with the transforming commands chart, timechart, stats, eventstats, and streamstats.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |