There’s more than one command for statistical calculations. The resultant tabulation can contain one row, which represents the aggregation over the entire incoming result set, or a row for each distinct value of a specified by-clause. The stats command calculates aggregate statistics over a dataset, similar to SQL aggregation. If you specify an optional by-clause of additional fields, the most frequent values for each distinct group of values of the by-clause fields are returned. The top command returns the most frequently occurring tuple of those field values, along with their count and percentage. Reporting commands covered in this section include top, stats, chart, and time chart. transaction groups events, and supports more options on how they are grouped and retains the raw event text and other field values from the original events.stats calculate statistical values on events grouped by the value of fields (and then the events are discarded).eventcount: number of events in the transaction.Īlthough the stats command (covered later in this section) and the transaction command both enable you to aggregate events, there is an important distinction:.duration: the difference between the timestamps for the first and last events in the transaction.The transaction command produces two fields: The first two events are joined because they have host=a in common and then the third is joined with them because it has cookie=b in common with the second event. If there is a transitive relationship between the fields in the, the transaction command uses it.įor example, if you searched for a transaction host cookie, you might see the following events grouped into a single transaction: event=1 host=a event=2 host=a cookie=b event=3 cookie=b Splunk does not necessarily interpret the transaction defined by multiple fields as a conjunction (field1 AND field2 AND field3) or a disjunction (field1 OR field2 OR field3) of those fields. Transactions are composed of the raw text (the _raw field) of each member event, the timestamp (the _time field) of the earliest member event, the union of all other fields of each member event, and some additional fields the describe the transaction such as duration and eventcount.Īll the transaction command arguments are optional, but some constraints must be specified to define how events are grouped into transactions. Events are grouped together if all transaction definition constraints are met. The transaction command groups events that meet various constraints into transactions-collections of events, possibly from multiple sources. For more details refer to our blog on Grouping Events in Splunk. The transaction command groups related events. Using head permits a search to stop retrieving events from the disk when it finds the desired number of results. The head filtering command returns the first count results. Use the keepnull= option to override the default behavior, if desired.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |