![]() Right now we are just interested in the number of bytes per clientip. Splunk users will notice the raw log events in the results area, as well as a number of fields (in addition to bytes and clientip) listed in a column to the left on the screen shot above. The fields (and values of those fields) of interest are as follows: To begin, do a simple search of the web logs in Splunk and look at 5 events and the associated byte count related to two ip addresses in the field clientip. So let’s look at a simple search command that sums up the number of bytes per IP address from some web logs. There are also a number of statistical functions at your disposal, avg(), count(), distinct_count(), median(), perc(), stdev(), sum(), sumsq(), etc. If called with a by-clause, one row is produced for each distinct value of the by-clause. If called without a by clause, one row is produced, which represents the aggregation over the entire incoming result set. Per the Splunk documentation:Ĭalculate aggregate statistics over the dataset, similar to SQL aggregation. ![]() (If you’re cool with stats, scroll on down to eventstats or streamstats.)Īs the name implies, stats is for statistics. In an effort to keep it simple, I’ll limit the data of interest to five (5) events with the head command. I will take a very basic, step-by-step approach by going through what is happening with the stats command, and then expand on that example to show how stats differs from eventstats and streamstats. Reference documentation links are included at the end of the post. Stats typically gets a lot of use, but I’ll use it to set the stage for eventstats and streamstats which don’t get as much use. In this blog post, I will attempt, by means of a simple web log example, to illustrate how the variations on the stats command work, and how they are different. When you dive into Splunk’s excellent documentation, you will find that the stats command has a couple of siblings - eventstats and streamstats. Hopefully this will help advance some folks beyond “super grep” as well as assist those who may be new to Splunk. They just use Splunk to search (happily I might add) for keywords and phrases over many sources of machine data. It never ceases to amaze me how many Splunkers are stuck in the “super grep” stage. Putting eval aside for another blog post, let’s examine the stats command. When I first joined Splunk, like many newbies I needed direction on where to start. Getting started with stats, eventstats and streamstats ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |