What is stats?
Stats calculates aggregate statistics over the results set, such as average, count, and sum. This is similar to SQL aggregation. If stats is used without a by clause only one row is returned, which is the aggregation over the entire incoming result set. If you use a by clause one row is returned for each distinct value specified in the BY clause.
What is eventstats?
Eventstats generates summary statistics of all existing fields in your search results and saves those statistics in to new fields. The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event.
What is streamstats?
Streamstats adds cumulative summary statistics to all search results in a streaming manner. The streamstats command calculates statistics for each event at the time the event is seen. For example, you can calculate the running total for a particular field. The total is calculated by using the values in the specified field for every event that has been processed, up to the current event.
Let’s take an example to understand this better.
To begin, do a simple search of the web logs in Splunk and look at 10 events and the associated byte count related to ip addresses in the field clientip.
Stats
The stats command calculates statistics based on fields in your events.
Steps :
1. Search for the top 10 events from the web log.
sourcetype=access_combined* | head 10
2. Compute the sum of the bytes for each clientip.
sourcetype=access_combined* | head 10 | stats sum(bytes) as ATotalBytes by clientip
What About original field name (bytes) ?
3. Use Table to See original filed name (bytes) sourcetype=access_combined* | head 10 | stats sum(bytes) as ATotalBytes by clientip | table bytes, ATotalBytes, clientip
Notice that the bytes column is empty above, because once the table is created by the stats command, Splunk now knows nothing about the original bytes field.
This is where eventstats can be helpful.
Eventstats
If we want to retain the original field as well , use eventstats command. This command doesn’t touch raw data.
Steps :
1. Use eventstats instead of stats command sourcetype=access_combined* | head 10 | eventstats sum(bytes) as ATotalBytes by clientip| table bytes ATotalBytes clientip
2. Use table command to see clientip, bytes and AtotalBytes sourcetype=access_combined* | head 10 | eventstats sum(bytes) as ATotalBytes by clientip | table bytes ATotalBytes clientip
We can see that the original bytes field is retained.
Streamstats
If we want to see results in streaming manner, use streamstats command.
Steps :
1. Use steamstats instead of eventstats command. sourcetype=access_combined* | head 10 | sort _time | streamstats sum(bytes) as ATotalBytes
2. Use table command to see clientip, bytes and AtotalBytes. sourcetype=access_combined* | head 10 |sort _time | streamstats sum(bytes) as ATotalBytes | table _time bytes ATotalBytes clientip
