Splunk® Cloud Services

SPL2 Search Reference

stats command examples

The following are examples for using the SPL2 stats command. To learn more about the stats command, see How the SPL2 stats command works.

Many of these examples use the statistical functions. See Overview of SPL2 stats and chart functions.

The AS and BY keywords are displayed in uppercase in the syntax and examples to make the syntax easier to read. You can specify the AS and BY keywords in uppercase or lowercase in your searches.

1. Calculate the sum of a field

If you just want a simple calculation, you can specify the aggregation without any other arguments. For example:

... | stats sum(bytes)

This search summarizes the bytes for all of the incoming results. One row is returned with one column. The name of the column is the name of the aggregation. For example:

sum(bytes)
3195256256

2. Group the results by a field

This example takes the incoming result set and calculates the sum of the bytes field and groups the sums by the values in the host field.

... | stats sum(bytes) BY host

The results contain as many rows as there are distinct host values. There are two columns returned: host and sum(bytes). If you don't specify a name for the results using the `AS <field> syntax, then the names of the columns are the name of the <by-clause> field and the name of the aggregation.

If there are two distinct hosts, the results are returned as a table similar to this:

host sum(bytes)
host1 3123124124
host2 72132132

3. Specifying multiple aggregations and multiple by-clause fields

You can also specify more than one aggregation and <by-clause> with the stats command. You can rename the output fields using the AS <field> clause. For example:

...| stats sum(bytes) AS 'Sum of bytes', avg(bytes) AS Average BY host, sourcetype

This search organizes the incoming search results into groups based on the combination of host and sourcetype. It returns the sum of the bytes in the Sum of bytes field and the average bytes in the Average field for each group. If there are two distinct hosts and two distinct sourcetypes, the search will produce results similar to this:

host sourcetype Sum of bytes Average
host1 webaccess 3123124124 3782
host2 webaccess 72132132 3742
host1 json 32132 3213

4. Specifying a time span in the BY clause

This example counts the values in the action field and organized the results into 30 minute time spans. When you use the span argument, the field you use in the <by-clause> must be either the _time field, or another field with values in UNIX time. For example:

...| stats count(action) AS count BY _time span=30m

See also

stats command
stats command overview
stats command syntax details
stats command usage
Last modified on 31 January, 2024
stats command usage   streamstats command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters