Splunk stats, strcat, and table command

In this section, we are going to learn about the Splunk Stats, strcat, and table command. We have also explained the differences among them.

stats command

The Splunk stats command, calculates aggregate statistics over the set outcomes, such as average, count, and sum. It is analogous to the grouping of SQL. If the stats command is used without a BY clause, it returns only one row, which is the aggregation over the entire incoming result collection. Using stats command with BY clause returns one row for each distinct value defined in the BY clause.

The stats command may be used for several operations similar to SQL. If you know the SQL but are new to SPL, see Splunk SPL for SQL users.

Difference between stats and eval commands

The command Stats measures statistics in your events based on fields. The eval command uses existing fields and an optional expression to construct new fields in your events.

Syntax:

Required arguments

stats-agg-term

Syntax:

Splunk strcat command

Splunk strcat command concatenates the string values from 2 fields or more. It combines string values and literals together to create a new field. At the end of the strcat command, a name for the destination field is specified.

Syntax:

Required arguments

<dest-field>

Syntax:

Description: A destination field, as defined by the argument < source-fields > to save the concatenated string values into. The area of destination is often at the end of source area string.

<source-fields>

Syntax:

Description: Specify the field names and literal value of the string you want to concatenate with. Literal meanings ought to be expressed in quotation marks.

quoted-str

Syntax:

Description: Quoted string literals.

Example: "/" or ":"

streamstats

Description: Adds combined summary information in streaming way across all search results. The command streamstats measures statistics for each case at the time it is displayed. For example, for a given field, you can measure the running total. For each event that has been processed, up to the current event, the total is calculated using the values in the given field.

Syntax of the command

Required arguments

stats-agg-term

Syntax:

Description: It is a method of Statistical Aggregation. The function can be extended to an expression of eval, or to a field or field set. Use the AS clause to place the result into a new field with your specified name. Wild card characters can be used in field names.

Table command

The table command returns a table that is only composed of the fields you list in the arguments. Columns are displayed in the same order as those specified in fields. Column headers are names for fields. Rows are attributes for fields. That row is symbolic of a case.

The table command is similar to the fields command as it allows you to define the fields that you want to hold in your tests. When you want to maintain data in tabular format, use the table order.

You should not use the table command for charts except for a scatter plot to show trends in the relationships between discrete values of your data.

Syntax:

Arguments

<wc-field-list>

Syntax:

Description: A list of names to regions. Wild card characters can be used in field names.

Usage

The Table command is a command that transforms. See tutorial on command types for more information.

Visualizations

Apart from a scatter map, you cannot use the visualizations table order. Splunk Web requires visualizations to be made by the internal fields, which are the fields that begin with an underscore character. By default, the table command strips those fields from the results. Alternatively, you can use the fields command to create visualizations.

The command fields still maintains all the internal fields.

Command type

The command table is a non-streaming system. If you are following a table-like streaming interface, use the fields interface.

Field renaming

The table command does not allow you to rename fields, just define the fields you want to display in your tabulated results. If you must rename a sector, do it before the results are piped to the table.

Truncated results

The table command trunks the number of results returned in the limits.conf file based on the settings. If the value for the parameter truncate_report is 1 in the [search] stanza, the number of returned results is truncated.

In the [search] stanza, the number of results is regulated by the parameter max_count. If the truncate report is set to 0, it does not add the parameter max_count.


Next Topic#




Latest Courses