This post is to explicate the working of statistic command and how it differs. The main commands available in Splunk are stats, eventstats, streamstats, and tstats.
As an analyst, we come across many dashboards while making dashboards, alerts, or understanding existing dashboards. These are indeed challenging to understand but they make our work easy. So let’s find out how these stats commands work.
What are Stats Commands in Splunk?
The purpose of statistics or stats commands is to calculate summary statistics on the search results. These are derived from events that are retrieved from an index. The stats command perform on the search results on the whole and it returns only the fields that you mention.
What are the Different Types of Stats Commands?
Let’s explore one by one.
It calculates comprehensive statistics over the dataset that is similar to SQL aggregation. When you call it without a by-clause, it produces one row which depicts the aggregation of the entire incoming result set. When you call it with a by-clause, it produces one row for each distinct value of the by-clause.
You will use stats command more often although it has a couple of siblings named eventstats and streamstats.
Various statistical functions are available such as sum(), avg(), count(), sumsq(), distinct_count(), median(), stdev(),etc.
In the above example, stats command returns 4 statistical results for “log_level” field with the count of each value in the field.
This calculates a statistical result similar to stats command. But the only difference is, it does not generate statistical results rather it aggregates them with the original raw data.
When we get some results using stats command, Splunk won’t know the native fields and hence it displays only the fields that are included in results. This is where eventstats command helps.
In the above example, you can see the newly created field “count” as well as the original fields such as “log_level” and “class”.
Streamstats assist in aggregating statistics in a streaming manner similar to eventstats. It clusters the statistics to the original data, thus all of the original data becomes available for further calculations.
This command utilizes events before the current event to evaluate the aggregate statistics that are applied to individual events.
In the above example, it’s computing the sum of the “status” value concerning “method”. And for the next iteration, it’s taking the previous value into account.
Tstats are faster than stats, as tstats looks only at the indexed metadata, .tsidx files. (i.e., only metadata fields such as source type, host, source, and _time).
Tstats executes on the index-time fields with the following methods:
• Accelerated data models
• A namespace created using “tscollect” search command
• Manual index-time fields through fields.conf, props.conf, and transforms.conf
The indexed fields are from normal index data, accelerated data models, or tscollect data.
I hope the above explanation gives you a clear insight into stats commands and their uses. Hence, next time when you see a Splunk dashboard or develop your dashboard, you know to choose the right stats command.
Kindly comment below for more interesting Splunk topics. We will be happy to provide you with the appropriate solution. Also, do not forget to follow us on Social Media. Happy Splunking.