Databases Reference
In-Depth Information
•
avg(req_time)
produces an average value of the
req_time
field.
•
max(req_time) as "Slowest time"
finds the maximum value of the
req_
time
field and places the value in a field called
Slowest time
. The quotes
are necessary because the field name contains a space.
•
by
indicates that we are done listing functions and want to list the fields
to slice the data by. If the data does not need to be sliced,
by
and the fields
following it can be omitted.
•
logger
and
user
are our fields for slicing the data. All functions are actually
run against each set of data produced per possible combination of
logger
and
user
.
If an event is missing a field that is referenced in a
stats
command, you
may not see the results you are expecting. For instance, when computing
an average, you may wish for events missing a field to count as zeroes
in the average. Also, for events that do not contain a field listed in the
by
fields, the event will simply be ignored.
To deal with both of these cases, you can use the
fillnull
command to
make sure that the fields you want exist. We will cover this in
Chapter 5
,
Advanced Search Examples
.
Let's look at another example, using a time-based function and a little trick. Let's say
we wanted to know the most recent time at which each user saw a particular error.
We can use the following query:
sourcetype="impl_splunk_gen" error logger="FooClass"
| stats count first(ip) max(_time) as _time by user
This query produces the following table:
Search WWH ::
Custom Search