Stats:
The stats command is used to calculate summary statistics on the results of a search or the events retrieved from an index.
- count
- It gives you the count of events on the basis of fields selected or as a whole
- You can have count based on multiple events.
1 2 | index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"| stats count |
- average/min/max
- These mathematical commands are used to calculate the average value, maximum values, minimum values of the total event or per entity like server, log file etc.
1 2 | index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"| stats avg(values) max(values) min(values) |
- “by” clause
- This is used to get the values as output based on an entity and not as whole.
1 2 | index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"| stats avg(values) max(values) min(values) by host |
You can get the output data based on multiple entity
1 2 | index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"| stats avg(values) max(values) min(values) by host sourcetype |
- “rename” command or “as” clause
- This is used to rename the field.
1 2 3 | index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"| stats avg(values) max(values) min(values) by host| rename avg(value) as "average value" max(value) as "maximum value" min(value) as "minimum value" |
This can also be done in the same statement using “as” clause only.
1 2 | index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"| stats avg(values) as "average value" max(values) as "maximum value" min(values) as "minimum value" by host |
“where” command
- “sort” command
- This is used to sort the output data as per requirement.
1 2 3 | index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"| stats avg(values) as "average value" max(values) as "maximum value" min(values) as "minimum value" by host| sort "average value" |
- “where” command
- This is used to filter the output data as per requirement.
1 2 3 | index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"| stats avg(values) as "average value" max(values) as "maximum value" min(values) as "minimum value" by host| where "average value" > 5 |