Splunk stats list on same line12/22/2023 ![]() The from_domain is defined as the portion of the mailfrom field after the symbol. The first part of this search uses the eval command to break up the email address in the mailfrom field. ![]() | eval from_domain=mvindex(accountname,-1) The eval command in this search contains two expressions, separated by a comma. For example, the email might be To, From, or Cc).įind out how much of the email in your organization comes from. You should be able to run this search on any email data by replacing the sourcetype=cisco:esa with the sourcetype value and the mailfrom field with email address field name in your data. Use eval expressions to categorize and count fields This example uses sample email data. The results appear on the Statistics tab and look something like this: The counts of both types of events are then separated by the web server, using the BY clause with the host field.The second clause does the same for POST events.Then, using the AS keyword, the field that represents these results is renamed GET. The first clause uses the count() function to count the Web access events that contain the method field value GET.This example uses eval expressions to specify the different field values for the stats command to count. Sourcetype=access_* | stats count(eval(method="GET")) AS GET, count(eval(method="POST")) AS POST BY host Run the following search to use the stats command to determine the number of different page requests, GET and POST, that occurred for each Web server. Use the time range All time when you run the search. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use eval expressions to count the different types of requests against each Web server This example uses the sample data from the Search Tutorial but should work with any format of Apache web access log. Status=* | stats dc(eval(if(status=404, clientip, NULL()))) AS dc_ip_errors Status=* | eval dc_ip_errors=if(status=404,clientip,NULL()) | stats dc(dc_ip_errors)Īs an alternative, you can embed an eval expression using eval functions in a stats function directly to return the same results. ![]() ![]() Then the stats function is used to count the distinct IP addresses. This is a shorthand method for creating a search without using the eval command separately from the stats command.įor example, the following search uses the eval command to filter for a specific error code. You can embed eval expressions and functions within any of the stats functions. Use stats with eval expressions and functions When you use the span argument, the field you use in the must be either the _time field, or another field with values in UNIX time. This example counts the values in the action field and organized the results into 30 minute time spans. If there are two distinct hosts and two distinct sourcetypes, the search will produce results similar to this:Ĥ. It returns the sum of the bytes in the Sum of bytes field and the average bytes in the Average field for each group. This search organizes the incoming search results into groups based on the combination of host and sourcetype. | stats sum(bytes) AS 'Sum of bytes', avg(bytes) AS Average BY host, sourcetype You can rename the output fields using the AS clause. You can also specify more than one aggregation and with the stats command. Specifying multiple aggregations and multiple by-clause fields If there are two distinct hosts, the results are returned as a table similar to this:ģ. If you don't specify a name for the results using the `AS syntax, then the names of the columns are the name of the field and the name of the aggregation. There are two columns returned: host and sum(bytes). The results contain as many rows as there are distinct host values. ![]() This example takes the incoming result set and calculates the sum of the bytes field and groups the sums by the values in the host field. The name of the column is the name of the aggregation. This search summarizes the bytes for all of the incoming results. If you just want a simple calculation, you can specify the aggregation without any other arguments. You can specify the AS and BY keywords in uppercase or lowercase in your searches. The AS and BY keywords are displayed in uppercase in the syntax and examples to make the syntax easier to read. See Overview of SPL2 stats and chart functions. Many of these examples use the statistical functions. To learn more about the stats command, see How the stats command works. The following are examples for using the SPL2 stats command. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |