You can use uppercase or lowercase in your searches when you specify the BY keyword. Note: The BY keyword is shown in these examples and in the Splunk documentation in uppercase for readability. This will average out the number of events per hour. You can use these three commands to calculate statistics, such as count, sum, and average. Difference between stats and eval commands Use. You have to flip the table around a bit to do that, which is why I used chart instead of timechart. Commands: stats Use: Calculates aggregate statistics,such as average, count, and sum, over the results set. If you want to average all of those results, you would add the stats avg(count) at the end of the search: sourcetype=your_sourcetype earliest=-48h latest=-24h | bucket _time span=1h | stats count by _time | stats avg(count) This calculates the total of of all the counts by refererdomain, and sorts them in descending order by count (with the largest refererdomain first). Usage You can use this function with the stats, eventstats, streamstats, and timechart commands. (change this as you see fit or remove earliest and latest) This function returns the average, or mean, of the values in a field. Most aggregate functions are used with numeric fields. Common aggregate functions include Average, Count, Minimum, Maximum, Standard Deviation, Sum, and Variance. This will count the events per hour between 48 hours ago to 24 hours ago. Aggregate functions summarize the values from each event to create a single, meaningful value. As per this question sourcetype=your_sourcetype earliest=-48h latest=-24h | bucket _time span=1h | stats count by _time | sort - count search dedup usereval numberrandom ()sort 0 numberhead 100table user 0 Karma.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |