A common use of the stats command is to count events. To see how this works, run the following search query. The SPL will return a single number representing the count of all events in the last 30 minutes. Notice that the pipe that precedes the stats command filters the data that will be included in the final count:
SPL> index=main earliest=-30m latest=now | stats count
Change the time modifier and the number should be reduced:
SPL> index=main earliest=-15m latest=now | stats count
You may be wondering where the count came from. The true format of a stats command is stats function(X). This asks the system to return the result of the function based on the field X. When the count function is used without parentheses, Splunk assumes that you are looking for the count of all events in the given search.
The stats command becomes a very powerful tool especially when you need to group counts by fields. Here is an example:
SPL> index=main | stats count by http_method
This will result in two rows of data that will show the counts of the GET and the POST methods, as shown in the following screenshot. These are two methods that are used in HTTP (website communication rules for client and server) to ask for information (GET) and submit data (POST):
You can also use the avg(X) function to get the average value of all the events based on URLs. Here is an example that you can use:
SPL> index=main | stats count by http_uri | stats avg(count)
Some of the widely used stats functions are:
- avg(X): Returns the average of the values of the field X
- dc(X): Returns the count of distinct values of the field X
- max(X): Returns the maximum value of the field X
- min(X): Returns the minimum value of the field X
- perc<X>(Y): Returns the Xth percentile of the field X, for example perc95(X)
- sum(X): Returns the sum of the values of the field X