Splunk® Cloud Services

SPL2 Search Reference

stats command syntax details

Syntax

The required syntax is in bold.

stats
[allnum = <boolean>] [delim = <"string">] [partitions = <num>]
<aggregation> ...
( [<by-clause>] [span=<time-span>] )

The AS and BY keywords are displayed in uppercase in the syntax and examples to make the syntax easier to read. You can specify these keywords in uppercase or lowercase.

Required arguments

aggregation
Syntax: <aggregate-function> "("<field> [AS <field>] ")" ["," <aggregate-function> "("<field> [AS <field>] ")" ]...
Description: A statistical aggregation function. The function can be applied to an eval expression, or to one or more fields. By default, the name of the field used in the output is the same as your aggregate function. For example, if your search is ... | stats sum(bytes) the field name in the output is sum(bytes). Use the AS clause to place the result into a new field with a name that you specify, for example ... | stats sum(bytes) AS 'sum of bytes'.
For a description of the aggregate functions you can use, see aggregation functions.

Optional arguments

allnum
Syntax: allnum=<boolean>
Description: If set to true, computes numerical statistics on each field if and only if all of the values of that field are numerical.
Default: false
by-clause
Syntax: BY <field> [span=<timespan>] ["," <field> [span=<timespan>] ]...
Description: The name of one or more fields to group the results by. You can specify a time span to apply to the grouping. The <by-clause> returns one row for each distinct value in the <by-clause> fields. You cannot use the wildcard character to specify multiple fields with similar names. You must specify each field separately.
Default: If no <by-clause> is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.
For information about timespans, see Specifying time spans in the SPL2 Search Manual.
delim
Syntax: delim=<string>
Description: Specifies how the values in the list() or values() functions are delimited.
Default: A single space
partitions
Syntax: partitions=<num>
Description: If specified, partitions the incoming search results based on the <by-clause> fields for multithreaded reduce. The partitions argument runs the reduce step (in parallel reduce processing) with multiple threads in the same search process on the same machine. Compare that with parallel reduce that runs the reduce step in parallel on multiple machines.
Default: 1

See also

stats command
stats command overview
stats command usage
stats command examples
Related information
Specifying time spans in the SPL2 Search Manual
Last modified on 06 September, 2024
stats command overview   stats command usage

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters