![]() Here is the visualization for the stats command results table: Click the Visualization tab to generate a graph from the results. When you run the stats and chart commands, the event data is transformed into results tables that appear on the Statistics tab. The advantage of using the chart command is that it creates a consolidated results table that is better for creating charts. The syntax for the chart command BY clause is: The chart command provides two alternative ways to specify these fields in the BY clause. The syntax for the stats command BY clause is:įor the chart command, you can specify at most two fields. With the stats command, you can specify a list of fields in the BY clause, all of which are fields. With the stats command, there are no results for the 403 status code and the One important difference between the stats and chart commands is how many fields you can specify in the BY clause. Notice the results for the 403 status code in both results tables. The values for the host field become the column labels. This second BY field is referred to as the field. The chart command uses the second BY field, host, to split the results into separate columns. This first BY field is referred to as the field. For each unique value in the status field, the results appear on a separate row. The chart command uses the first BY field, status, to group the results. The search returns the following results: status Now let's substitute the chart command for the stats command in the search. Remember the results returned when we used the stats command with two BY fields are: status Using the chart command in the search with two BY fields is where you really see differences. If you specify only one BY field, the results from the stats and chart commands are identical. Using the same basic search, let's compare the results produced by the chart command with the results produced by the stats command. One big advantage of using the stats command is that you can specify more than two fields in the BY clause and create results tables that show very granular statistical calculations. Below is a partial list of the results table that is produced when we add the action field to the BY clause: status You are splitting the rows first on status, then on host, and then on action. In this example, there are five actions that customers can take on our website: addtocart, changequantity, purchase, remove, and view. The fields that you specify in the BY clause of the stats command are referred to as fields. You're splitting the rows first on status, then on host. statusĮach field you specify in the BY clause becomes a separate column in the results table. | stats count BY status, hostĮach unique combination of status and host is listed on a separate row in the results table. For example, we receive events from three different hosts. The count of the events for each unique status code is listed in separate rows in a table on the Statistics tab: statusīasically the field values (200, 400, 403, 404) become row labels in the results table.įor the stats command, fields that you specify in the BY clause group the results based on those fields. We are going to count the number of events for each HTTP status code. You can use uppercase or lowercase in your searches when you specify the BY keyword. Note: The BY keyword is shown in these examples and in the Splunk documentation in uppercase for readability. You can use these three commands to calculate statistics, such as count, sum, and average. A transforming command takes your event data and converts it into an organized results table. These three commands are transforming commands. It wasn't until I did a comparison of the output (with some trial and a whole lotta error) that I was able to understand the differences between the commands. When I first started learning about the Splunk search commands, I found it challenging to understand the benefits of each command, especially how the BY clause impacts the output of a search. The stats, chart, and timechart commands are great commands to know (especially stats).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |