Stats command splunk

Stats command splunk DEFAULT

Splunk stats, strcat, and table command

next →← prev

In this section, we are going to learn about the Splunk Stats, strcat, and table command. We have also explained the differences among them.

stats command

The Splunk stats command, calculates aggregate statistics over the set outcomes, such as average, count, and sum. It is analogous to the grouping of SQL. If the stats command is used without a BY clause, it returns only one row, which is the aggregation over the entire incoming result collection. Using stats command with BY clause returns one row for each distinct value defined in the BY clause.

The stats command may be used for several operations similar to SQL. If you know the SQL but are new to SPL, see Splunk SPL for SQL users.

Difference between stats and eval commands

The command Stats measures statistics in your events based on fields. The eval command uses existing fields and an optional expression to construct new fields in your events.


Required arguments



Splunk strcat command

Splunk strcat command concatenates the string values from 2 fields or more. It combines string values and literals together to create a new field. At the end of the strcat command, a name for the destination field is specified.


Required arguments



Description: A destination field, as defined by the argument < source-fields > to save the concatenated string values into. The area of destination is often at the end of source area string.



Description: Specify the field names and literal value of the string you want to concatenate with. Literal meanings ought to be expressed in quotation marks.



Description: Quoted string literals.

Example: "/" or ":"


Description: Adds combined summary information in streaming way across all search results. The command streamstats measures statistics for each case at the time it is displayed. For example, for a given field, you can measure the running total. For each event that has been processed, up to the current event, the total is calculated using the values in the given field.

Syntax of the command

Required arguments



Description: It is a method of Statistical Aggregation. The function can be extended to an expression of eval, or to a field or field set. Use the AS clause to place the result into a new field with your specified name. Wild card characters can be used in field names.

Table command

The table command returns a table that is only composed of the fields you list in the arguments. Columns are displayed in the same order as those specified in fields. Column headers are names for fields. Rows are attributes for fields. That row is symbolic of a case.

The table command is similar to the fields command as it allows you to define the fields that you want to hold in your tests. When you want to maintain data in tabular format, use the table order.

You should not use the table command for charts except for a scatter plot to show trends in the relationships between discrete values of your data.





Description: A list of names to regions. Wild card characters can be used in field names.


The Table command is a command that transforms. See tutorial on command types for more information.


Apart from a scatter map, you cannot use the visualizations table order. Splunk Web requires visualizations to be made by the internal fields, which are the fields that begin with an underscore character. By default, the table command strips those fields from the results. Alternatively, you can use the fields command to create visualizations.

The command fields still maintains all the internal fields.

Command type

The command table is a non-streaming system. If you are following a table-like streaming interface, use the fields interface.

Field renaming

The table command does not allow you to rename fields, just define the fields you want to display in your tabulated results. If you must rename a sector, do it before the results are piped to the table.

Truncated results

The table command trunks the number of results returned in the limits.conf file based on the settings. If the value for the parameter truncate_report is 1 in the [search] stanza, the number of returned results is truncated.

In the [search] stanza, the number of results is regulated by the parameter max_count. If the truncate report is set to 0, it does not add the parameter max_count.

Next Topic#

← prevnext →


Corero’s DDoS Analytics App for Splunk Enterprise leverages Splunk software for big data analytics and visualization capabilities that transform security event data into sophisticated dashboards. For those who use Splunk, this blog will explain some real-world, everyday uses of the application. As you read through the stats commands shown below, keep in mind that these commands are being done on created example data as actual Corero events are much more detailed.

How to Structure Splunk Data

When using Splunk, the key to showcasing your data or unearthing hidden correlations is understanding the stats command returned results, and molding those results to suit your needs. For example, Figure 1 below is a Splunk dashboard of some packet data. The data consists of 15 events. Depending on the how the stats command is used, different views of the same data can be visualized.


To simply count the events: stats count
This counts the events and gives a one row, one column answer of 15.

The stats command can count occurrences of a field in the events.
To count the events, count the events with a dip (destination IP) field, and count the events with a dprt (destination port) field: stats count count(dip) count(dprt)
Notice that the count(dprt) is one less, this is because one of the events does not have a dprt field (it is an ICMP packet). All the counts appear on the same row, this is important in future operations and when comparing data.

The stats command also allows counting by a field, when this is done a row is created for every distinct value of that field.
To count the number of events per dip: stats count by dip
There are four different IP addresses in the data set so four rows are created. If an event did not have a dip field, it would NOT be listed.

Multiple by fields can be used, each distinct combination will have a row. To count each dip and dprt combination: stats count by dip dprt
Notice that the dip only has two entries, where in the preceding example it had three. This is because one of the events was ICMP and has no dprt. Any event that doesn’t have ALL of the by fields will not be shown.

Both examples on the bottom row of the figure are breakdowns by prot (protocol) and show the same numerical results.

Count the events by protocol using a by field (creating a row for each distinct protocol):
stats count by prot | replace 1 with icmp, 6 with tcp, 17 with udp in prot
The replace command is just to ease comparison and is not needed

Count the events by protocol using conditional counting (creating a column for each distinct protocol listed):
stats count(eval(prot=1)) as icmp count(eval(prot=6)) as tcp count(eval(prot=17)) as udp

While both are “correct”, in some cases data needs to be manipulated with evals and other commands and this can only happen when the data is in the same row.

The second example uses a conditional count; by using an eval in the count, only certain events are counted. This conditional counting must also be accompanied by the “as” command to rename the field created, because all three cannot use the same field name of count. In this case the protocol name was used. While this has some benefits, the downside is that the protocols must be listed by hand, unlike when using the “by” field. By using the correct stats command, preparing your data for further analysis or viewing becomes a lot easier.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.

  1. Cliff platform ark
  2. Ncaa live bracket
  3. Ark tek armor
  4. Chicago elite baseball
  5. Nevada unemployment insurance

Search commands > stats, chart, and timechart

The statschart, and timechart commands are great commands to know (especially stats). When I first started learning about the Splunk search commands, I found it challenging to understand the benefits of each command, especially how the BY clause impacts the output of a search. It wasn't until I did a comparison of the output (with some trial and a whole lotta error) that I was able to understand the differences between the commands. 

These three commands are transforming commands. A transforming command takes your event data and converts it into an organized results table. You can use these three commands to calculate statistics, such as count, sum, and average. 

Note: The BY keyword is shown in these examples and in the Splunk documentation in uppercase for readability. You can use uppercase or lowercase in your searches when you specify the BY keyword.

The Stats Command Results Table

Let's start with the stats command. We are going to count the number of events for each HTTP status code.

... | stats count BY status

The count of the events for each unique status code is listed in separate rows in a table on the Statistics tab:

status  count  

Basically the field values (200, 400, 403, 404) become row labels in the results table. 

For the stats command, fields that you specify in the BY clause group the results based on those fields. For example, we receive events from three different hosts: www1, www2, and www3. If we add the host field to our BY clause, the results are broken out into more distinct groups.  

... | stats count BY status, host

Each unique combination of status and host is listed on a separate row in the results table.



Each field you specify in the BY clause becomes a separate column in the results table. You're splitting the rows first on status, then on host. The fields that you specify in the BY clause of the stats command are referred to as <row-split> fields.

In this example, there are five actions that customers can take on our website: addtocart, changequantity, purchase, remove, and view. 

Let's add action to the search.

... | stats count BY status, host, action

You are splitting the rows first on status, then on host, and then on action. Below is a partial list of the results table that is produced when we add the action field to the BY clause:


One big advantage of using the stats command is that you can specify more than two fields in the BY clause and create results tables that show very granular statistical calculations.

Chart Command Results Table

Using the same basic search, let's compare the results produced by the chart command with the results produced by the stats command.

If you specify only one BY field, the results from the stats and chart commands are identical. Using the chart command in the search with two BY fields is where you really see differences. 

Remember the results returned when we used the stats command with two BY fields are:



Now let's substitute the chart command for the stats command in the search.

... | chart count BY status, host

The search returns the following results: 


The chart command uses the first BY field, status, to group the results. For each unique value in the status field, the results appear on a separate row. This first BY field is referred to as the <row-split> field. The chart command uses the second BY field, host, to split the results into separate columns. This second BY field is referred to as the <column-split> field. The values for the host field become the column labels.

Notice the results for the 403 status code in both results tables. With the stats command, there are no results for the 403 status code and the www1 and www3 hosts. With the chart command, when there are no events for the <column-split> field that contain the value for the <row-split> field, a 0 is returned. 

One important difference between the stats and chart commands is how many fields you can specify in the BY clause.

With the stats command, you can specify a list of fields in the BY clause, all of which are <row-split> fields. The syntax for the stats command BY clause is:

BY <field-list>

For the chart command, you can specify at most two fields. One <row-split> field and one <column-split> field.  

The chart command provides two alternative ways to specify these fields in the BY clause. For example:

... | chart count BY status, host

... | chart count OVER status BY host

The syntax for the chart command BY clause is:

[ BY <row-split> <column-split> ] | [ OVER <row-split> ] [BY <column-split>] ]

The advantage of using the chart command is that it creates a consolidated results table that is better for creating charts. Let me show you what I mean.

Stats and Chart Command Visualizations

When you run the stats and chart commands, the event data is transformed into results tables that appear on the Statistics tab. Click the Visualization tab to generate a graph from the results. Here is the visualization for the stats command results table:

The status field forms the X-axis, and the host and count fields form the data series. The range of count values form the Y-axis.

There are several problems with this chart:

  1. There are multiple values for the same status code on the X-axis. 
  2. The host values (www1, www2, and www3) are string values and cannot be measured in the chart. The host shows up in the legend, but there are no blue columns in the chart.

Because of these issues, the chart is confusing and does not convey the information that is in the results table.

While you can create a usable visualization from the stats command results table, the visualization is useful only when you specify one BY clause field. 

It's better to use the chart command when you want to create a visualization using two BY clause fields:

The status field forms the X-axis and the host values form the data series. The range of count values form the Y-axis.

What About the Timechart Command?

When you use the timechart command, the results table is always grouped by the event timestamp (the _time field). The time value is the <row-split> for the results table. So in the BY clause, you specify only one field, the <column-split> field.  For example, this search generates a count and specifies the status field as the  <column-split> field:

... | timechart count BY status

This search produces this results table:


If you search by the host field instead, this results table is produced:






The time increments that you see in the _time column are based on the search time range or the arguments that you specify with the timechart command.  In the previous examples the time range was set to All time and there are only a few weeks of data. Because we didn't specify a span, a default time span is used. In this situation, the default span is 1 day.

If you specify a time range like Last 24 hours, the default time span is 30 minutes. The Usage section in the timechart documentation specifies the default time spans for the most common time ranges. This results table shows the default time span of 30 minutes:

2018-07-12 15:00:00442273
2018-07-12 15:30:00345331
2018-07-12 16:00:00143336
2018-07-12 16:30:00462154
2018-07-12 17:00:00752638
2018-07-12 17:30:00385114
2018-07-12 18:00:00622415

The timechart command includes several options that are not available with the stats and chart commands. For example, you can specify a time span like we have in this search:

... | timechart span=12h count BY host

2018-07-04 17:00801783819
2018-07-05 05:00795847723
2018-07-05 17:00192616611642
2018-07-06 05:00150117741542
2018-07-06 17:00203319091857
2018-07-07 05:00148216711594
2018-07-07 17:00202718182036

In this example, the 12-hour increments in the results table are based on when you run the search (local time) and how that aligns that with UNIX time (sometimes referred to as epoch time).

Note: There are other options you can specify with the timechart command, which we'll explore in a separate blog.

So how do these results appear in a chart? On the Visualization tab, you see that _time forms the X-axis. The axis marks the Midnight and Noon values for each date. However, the columns that represent the data start at 1700 each day and end at 0500 the next day.

The field specified in the BY clause forms the data series. The range of count values forms the Y-axis.

In Summary

The stats, chart, and timechart commands have some similarities, but you’ve got to pay attention to the BY clauses that you use with them.

  • Use the stats command when you want to create results tables that show granular statistical calculations.
  • Use the stats command when you want to specify 3 or more fields in the BY clause.
  • Use the chart command when you want to create results tables that show consolidated and summarized calculations.
  • Use the chart command to create visualizations from the results table data.
  • Use the timechart command to create results tables and charts that are based on time.

SPL it like you mean it - Laura


Other blogs:

Splunk documentation:

Laura Stewart


Splunk - Stats Command

The stats command is used to calculate summary statistics on the results of a search or the events retrieved from an index. The stats command works on the search results as a whole and returns only the fields that you specify.

Each time you invoke the stats command, you can use one or more functions. However, you can only use one BY clause. If the stats command is used without a BY clause, only one row is returned, which is the aggregation over the entire incoming result set. If a BY clause is used, one row is returned for each distinct value specified in the BY clause.

Below we see the examples on some frequently used stats command.

Finding Average

We can find the average value of a numeric field by using the avg() function. This function takes the field name as input. Without a BY clause, it will give a single record which shows the average value of the field for all the events. But with a by clause, it will give multiple rows depending on how the field is grouped by the additional new field.

In the below example, we find the average byte size of the files grouped by the various http status code linked to the events associated with those files.


Finding Range

The stats command can be used to display the range of the values of a numeric field by using the range function. We continue the previous example but instead of average, we now use the max(), min() and range function together in the stats command so that we can see how the range has been calculated by taking the difference between the values of max and min columns.


Finding Mean and Variance

Statistically focused values like the mean and variance of fields is also calculated in a similar manner as given above by using appropriate functions with the stats command. In the below example, we use the functions mean() & var() to achieve this. We continue using the same fields as shown in the previous examples. The result shows the mean and variance of the values of the field named bytes in rows organized by the http status values of the events.


Command splunk stats

He said: Slut, come here, I'll tie you to the bed. I smiled lightly and said come on baby. Just be gentle with me. My words only angered him, he threw me on the bed, handcuffed me, and with all his strength, he tore it up, there.

Splunk commands : Detail discussion on timechart command

Despite her forty-three years old, she attracts the attention of both the male and female (already) half of humanity. I began to dream of her for a long time, and was only waiting for an opportunity to cuddle up to her with my. Whole body, and merge, huddle, in a single ecstasy. She jumped out to marry Sashka's father early, barely finishing high school. He is ten years older than his wife, and when she confessed to him that she was pregnant, without hesitation, he took.

You will also like:

I will drive a member over. Your face, lightly slap on slightly parted lips. Then I'll put it in your mouth. You will only work with your lips, because your hands are tied.

902 903 904 905 906