Using the same basic search, let's compare the results produced by the chart command with the results produced by the stats command. One big advantage of using the stats command is that you can specify more than two fields in the BY clause and create results tables that show very granular statistical calculations. Below is a partial list of the results table that is produced when we add the action field to the BY clause: status You are splitting the rows first on status, then on host, and then on action. In this example, there are five actions that customers can take on our website: addtocart, changequantity, purchase, remove, and view. The fields that you specify in the BY clause of the stats command are referred to as fields. You're splitting the rows first on status, then on host. statusĮach field you specify in the BY clause becomes a separate column in the results table. | stats count BY status, hostĮach unique combination of status and host is listed on a separate row in the results table. For example, we receive events from three different hosts.
#Splunk join one to many code#
The count of the events for each unique status code is listed in separate rows in a table on the Statistics tab: statusīasically the field values (200, 400, 403, 404) become row labels in the results table.įor the stats command, fields that you specify in the BY clause group the results based on those fields. We are going to count the number of events for each HTTP status code. You can use uppercase or lowercase in your searches when you specify the BY keyword. Note: The BY keyword is shown in these examples and in the Splunk documentation in uppercase for readability. You can use these three commands to calculate statistics, such as count, sum, and average. A transforming command takes your event data and converts it into an organized results table.
These three commands are transforming commands.
#Splunk join one to many trial#
It wasn't until I did a comparison of the output (with some trial and a whole lotta error) that I was able to understand the differences between the commands. When I first started learning about the Splunk search commands, I found it challenging to understand the benefits of each command, especially how the BY clause impacts the output of a search. The stats, chart, and timechart commands are great commands to know (especially stats).
0 kommentar(er)
