Exposure to commands in Splunk – Part I
2 min readStats:
The stats command is used to calculate summary statistics on the results of a search or the events retrieved from an index.
- count
- It gives you the count of events on the basis of fields selected or as a whole
- You can have count based on multiple events.
index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"
| stats count
- average/min/max
- These mathematical commands are used to calculate the average value, maximum values, minimum values of the total event or per entity like server, log file etc.
index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"
| stats avg(values) max(values) min(values)
- “by” clause
- This is used to get the values as output based on an entity and not as whole.
index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"
| stats avg(values) max(values) min(values) by host
You can get the output data based on multiple entity
index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"
| stats avg(values) max(values) min(values) by host sourcetype
- “rename” command or “as” clause
- This is used to rename the field.
index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"
| stats avg(values) max(values) min(values) by host
| rename avg(value) as "average value" max(value) as "maximum value" min(value) as "minimum value"
This can also be done in the same statement using “as” clause only.
index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"
| stats avg(values) as "average value" max(values) as "maximum value" min(values) as "minimum value" by host
“where” command
- “sort” command
- This is used to sort the output data as per requirement.
index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"
| stats avg(values) as "average value" max(values) as "maximum value" min(values) as "minimum value" by host
| sort "average value"
- “where” command
- This is used to filter the output data as per requirement.
index=main host=pheonix_01 sourcetype=main source="C:\Windows\asrblogger\pheonix01.log"
| stats avg(values) as "average value" max(values) as "maximum value" min(values) as "minimum value" by host
| where "average value" > 5
