Splunk 简明教程
Splunk - Stats Command
统计命令用于计算搜索结果或从索引中获取的事件的汇总统计信息。统计命令对搜索结果整体起作用,并且仅返回你指定的字段。
The stats command is used to calculate summary statistics on the results of a search or the events retrieved from an index. The stats command works on the search results as a whole and returns only the fields that you specify.
每次调用统计命令时,你可以使用一个或多个函数。但是,你只能使用一个 BY 子句。如果在没有 BY 子句的情况下使用统计命令,则只返回一行,也就是整个传入结果集的聚合。如果使用了 BY 子句,则会针对 BY 子句中指定的不同值返回一行。
Each time you invoke the stats command, you can use one or more functions. However, you can only use one BY clause. If the stats command is used without a BY clause, only one row is returned, which is the aggregation over the entire incoming result set. If a BY clause is used, one row is returned for each distinct value specified in the BY clause.
下面我们来看几个通常使用的统计命令示例。
Below we see the examples on some frequently used stats command.
Finding Average
我们可以使用 avg() 函数查找数字字段的平均值。此函数以字段名称作为输入。如果没有 BY 子句,它将给出一条记录,其中显示所有事件的该字段的平均值。但是,如果有 by 子句,它将根据该字段通过新附加字段进行分组的方式,给出多行。
We can find the average value of a numeric field by using the avg() function. This function takes the field name as input. Without a BY clause, it will give a single record which shows the average value of the field for all the events. But with a by clause, it will give multiple rows depending on how the field is grouped by the additional new field.
在下面的示例中,我们根据与这些文件相关的事件链接的各种 http 状态代码,查找文件的平均字节大小。
In the below example, we find the average byte size of the files grouped by the various http status code linked to the events associated with those files.
Finding Range
统计命令可以通过使用 range 函数显示数字字段的值范围。我们继续前面的示例,但是现在我们在统计命令中同时使用 max(), min() 和 range 函数来代替平均值,以便我们可以看到如何通过对 max 和 min 列的值求差来计算该范围。
The stats command can be used to display the range of the values of a numeric field by using the range function. We continue the previous example but instead of average, we now use the max(), min() and range function together in the stats command so that we can see how the range has been calculated by taking the difference between the values of max and min columns.
Finding Mean and Variance
通过使用统计命令和适当的函数,以类似于上面给出的方式,计算像字段的平均值和方差这样的统计聚焦值。在下面的示例中,我们使用函数 *mean() & var() * 实现此目的。我们继续使用前面示例中显示的同一字段。结果显示由事件的 http 状态值组织的行中名为 bytes 的字段的值的平均值和方差。
Statistically focused values like the mean and variance of fields is also calculated in a similar manner as given above by using appropriate functions with the stats command. In the below example, we use the functions *mean() & var() * to achieve this. We continue using the same fields as shown in the previous examples. The result shows the mean and variance of the values of the field named bytes in rows organized by the http status values of the events.
