# Put the results of Agents used and Times used into a table Index=main sourcetype=access_combined_wcookie | stats values(useragent) as "Agents used" count as Add a count function to the stats command that counts the events by useragent as Times used. # This report would be much more useful if we knew the number of times each useragent was used. Index=main sourcetype=access_combined_wcookie | stats values(useragent) as "Agents used" Add an as clause to name the result as Agents used # Use the stats values function to only return one instance of each useragent. Index=main sourcetype=access_combined_wcookie | stats list(useragent) # Use the stats list function to generate a list of all useragent values that have accessed the web application. Index=main sourcetype=db_audit | stats avg(Duration) as "time to complete" by Command | sort - "time to complete" # Sort the time to complete so that Command values that take the longest are shown first Index=main sourcetype=db_audit | stats avg(Duration) as "time to complete" by Command # Use as and by clauses to rename the average field to time to complete and split by the Command. Index=main sourcetype=db_audit | stats avg(Duration) # Search all database events and use the average (avg) function of the stats command to get an average Duration of all queries. Index=main sourcetype=access_combined_wcookie status=200 | stats sum(bytes) as TotalBytes by file | sort file # Use the sort command to sort the file names into alphabetical order Index=main sourcetype=access_combined_wcookie status=200 | stats sum(bytes) as TotalBytes by file # Split the results by the file field using the by clause Index=main sourcetype=access_combined_wcookie status=200 | stats sum(bytes) as TotalBytes # Use the stats sum function to find the total bytes used for the web application Index=main sourcetype=access_combined_wcookie | stats dc(JSESSIONID) as Logins by clientip | sort -Logins Make a note of the top clientip you might be asked about it in the quiz. # Use the sort command to sort Logins so that the clientip with the most Logins is displayed at the top of the list. Index=main sourcetype=access_combined_wcookie | stats dc(JSESSIONID) as Logins by clientip # Using the by clause, split the Logins by clientip. Index=main sourcetype=access_combined_wcookie | stats dc(JSESSIONID) # Use search terms with the stats dc function to count all sessions (JSESSIONID)that have been used in our web application data Index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200 | stats count as Transactions by file | rename file as Function # Using the rename command, change the name of the file field to Function. Index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200 | stats count as Transactions by file Use an as clause to rename the column to Transactions. # Notice that the count column is labeled count by default. Index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200 | stats # Use the stats count function with a by clause to count events by the file that was served /tutorial/splunk/labs/fundamental/Splunk_f1_Data.zip index=main sourcetype=access_combined_wcookie file=success.do OR file=cart.do status=200 Sample Data - Download sample data for lab. Use the count function of the stats command to find out how many items were added to a cart The eval command creates new fields in your events by using existing fields and an arbitrary expression. The stats command calculates statistics based on fields in your events. Difference between stats and eval commands If a BY clause is used, one row is returned for each distinct value specified in the BY clause. If the stats command is used without a BY clause, only one row is returned, which is the aggregation over the entire incoming result set. Stats: Splunk Commands Tutorials & Reference Commands Category: Filtering Commands: stats Use: Calculates aggregate statistics,such as average, count, and sum, over the results set.
0 Comments
Leave a Reply. |