If the calculation results in the floating-point special value NaN, it is represented as "nan" in your results. Write | stats (*) when you want a function to apply to all possible fields.ĭuring calculations, numbers are treated as double-precision floating-point numbers, subject to all the usual behaviors of floating point numbers. This "implicit wildcard" syntax is officially deprecated, however. In other words, when you have | stats avg in a search, it returns results for | stats avg(*). With the exception of the count function, when you pair the stats command with functions that are not applied to specific fields or eval expressions that resolve into fields, the search head processes it as if it were applied to a wildcard for all fields. Index=* | stats count(eval(status="404")) AS count_status BY sourcetype Statistical functions that are not applied to specific fields When you use a statistical function, you can use an eval expression as part of the statistical function. When you use the stats command, you must specify either a statistical function or a sparkline function. See Command types.Įval expressions with statistical functions The stats command is a transforming command. Each sparkline value is produced by applying this aggregation to the events that fall into each particular time bin.
sparkline-func Syntax: c() | count() | dc() | mean() | avg() | stdev() | stdevp() | var() | varp() | sum() | sumsq() | min() | max() | range() Description: Aggregation function to use to generate sparkline values. You can use wildcard characters in the field name. If the sparkline is not scoped to a field, only the count aggregator is permitted. If no timespan specifier is used, an appropriate timespan is chosen based on the time range of the search. Sparkline-agg Syntax: sparkline (count(), ) | sparkline ((), ) Description: A sparkline specifier, which takes the first argument of a aggregation function on a field and an optional timespan specifier.
#Splunk stats earliest how to
Read more about how to " Add sparklines to your search results" in the Search Manual. Sparklines are inline charts that appear within table cells in search results to display time-based trends associated with the primary key of each row. For an overview about using functions with commands, see Statistical and charting functions. Use the links in the table to see descriptions and examples for each function. The following table lists the supported functions by type of function. Each time you invoke the stats command, you can use one or more functions. Description: Statistical and charting functions that you can use with the stats command. Stats function options stats-func Syntax: The syntax depends on the function that you use. Set to the same value as the default_partitions setting in the nf file, which is 1 by default. When partitions=0, the value of the partitions argument is the same as the value of the default_partitions setting in the nf file. Compare that with parallel reduce, using the redistribute command, that runs the reduce step in parallel on multiple machines. The partitions argument runs the reduce step (in parallel reduce processing) with multiple threads in the same search process on the same machine. Default: a single space partitions Syntax: partitions= Description: Partitions the input data based on the split-by fields for multithreaded reduce. Default: false delim Syntax: delim= Description: Specifies how the values in the list() or values() aggregation are delimited. dedup_splitvals Syntax: dedup_splitvals= Description: Specifies whether to remove duplicate values in multivalued BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.
The BY clause returns one row for each distinct value in the BY clause fields.
You cannot use a wildcard character to specify multiple fields with similar names. Default: false by-clause Syntax: BY Description: The name of one or more fields to group by. Optional arguments allnum Syntax: allnum= Description: If true, computes numerical statistics on each field if and only if all of the values of that field are numerical. You can use wild card characters in the field name. Use the AS clause to place the result into a new field with a name that you specify. sparkline-agg-term Syntax: Description: A sparkline aggregation function. For more information on eval expressions, see Types of eval expressions in the Search Manual. You can use wild card characters in field names. The function can be applied to an eval expression, or to a field or set of fields. ) Required arguments stats-agg-term Syntax: ( | ) Description: A statistical aggregation function.
0 kommentar(er)
