Using stats to aggregate values

While top is very convenient, stats is extremely versatile. The basic structure of a stats statement is:

stats functions by fields

Many of the functions available in stats mimic similar functions in SQL or Excel, but there are many functions unique to Splunk. The simplest stats function is count. Given the following query, the results will contain exactly one row, with a value for the field count:

sourcetype="impl_splunk_gen" error | stats count

Using the by clause, stats will produce a row per unique value for each field listed, which is similar to the behavior of top. Run the following query:

sourcetype="impl_splunk_gen" error | stats count by logger user

It will produce a table like that shown in the following screenshot: ...

Get Implementing Splunk: Big Data Reporting and Development for Operational Intelligence now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Implementing Splunk: Big Data Reporting and Development for Operational Intelligence by Vincent Bumgarner

Using stats to aggregate values

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly