![]() ![]() Sourcetype=access_combined* | head 5 | stats sum(bytes) as ASimpleSumOfBytes by clientip In addition, I’ll make it easy to find alphabetically, I’ll prefix it with an “A”. I’ll also rename the result to be “ASimpleSumOfBytes” so that it stands out. Using the stats command and the sum function, I can compute the sum of the bytes for each clientip. Right now we are just interested in the number of bytes per clientip. Splunk users will notice the raw log events in the results area, as well as a number of fields (in addition to bytes and clientip) listed in a column to the left on the screen shot above. The fields (and values of those fields) of interest are as follows: To begin, do a simple search of the web logs in Splunk and look at 5 events and the associated byte count related to two ip addresses in the field clientip. So let’s look at a simple search command that sums up the number of bytes per IP address from some web logs. There are also a number of statistical functions at your disposal, avg(), count(), distinct_count(), median(), perc(), stdev(), sum(), sumsq(), etc. If called with a by-clause, one row is produced for each distinct value of the by-clause. If called without a by clause, one row is produced, which represents the aggregation over the entire incoming result set. Per the Splunk documentation:Ĭalculate aggregate statistics over the dataset, similar to SQL aggregation. (If you’re cool with stats, scroll on down to eventstats or streamstats.)Īs the name implies, stats is for statistics. In an effort to keep it simple, I’ll limit the data of interest to five (5) events with the head command. I will take a very basic, step-by-step approach by going through what is happening with the stats command, and then expand on that example to show how stats differs from eventstats and streamstats. ![]() Reference documentation links are included at the end of the post. Stats typically gets a lot of use, but I’ll use it to set the stage for eventstats and streamstats which don’t get as much use. In this blog post, I will attempt, by means of a simple web log example, to illustrate how the variations on the stats command work, and how they are different. When you dive into Splunk’s excellent documentation, you will find that the stats command has a couple of siblings - eventstats and streamstats. Hopefully this will help advance some folks beyond “super grep” as well as assist those who may be new to Splunk. They just use Splunk to search (happily I might add) for keywords and phrases over many sources of machine data. It never ceases to amaze me how many Splunkers are stuck in the “super grep” stage. Putting eval aside for another blog post, let’s examine the stats command. ![]() ![]() When I first joined Splunk, like many newbies I needed direction on where to start. If you would like to test the zoom capability beforehand from your environment, please let us know and we can schedule a time to do that.Getting started with stats, eventstats and streamstats Location: Virtual Zoom Meeting Join Zoom Meeting Please have a laptop available, that you have administrative rights to, with the following two files downloaded: Important note, this is beyond an introductory course, not for newcomers! You WILL learn about the inner workings of Splunk, as well as some commands you may have never heard of! This short and highly information workshop, taught by Alenna Drake, will provide a hands-on focus to Splunk accelerated data models and the tstats command.Īccelerated data models and the tstats command are excellent techniques to make your Splunk searches more performant and to make your user experience frictionless. The team will be hosting a Tstats and Data Models workshop designed for intermediate Splunk users. Events Splunk Tstats/Data Model Acceleration Workshop ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |