Mastering the Tstats Command in Splunk
Introduction
The tstats command in Splunk 9.2.1 is a powerful tool that enhances your data search capabilities. It provides optimized performance by leveraging indexed fields in the Splunk Enterprise. This guide will walk you through the functionalities, syntax, and practical applications of the tstats command.
Benefits of Using Tstats
- Improved Performance: Executes faster than traditional search commands by utilizing indexed data.
- Flexibility: Supports various statistical functions like
count,sum,avg,min,max, and more. - Efficiency: Reduces the search load on Splunk instances by querying indexed data directly.
Syntax and Usage
The basic syntax for tstats is as follows:
| tstats [stats-functions] from [datasets] where [filter-condition] by [field-list]
Example
To count the number of events:
# count events from index=_internal
| tstats count where index=_internal
# successful authentication events for each user broken down by hour
| tstats count from datamodel=Authentication where Authentication.action="success" by _time span=1h, Authentication.user
Key Parameters
- Stats Functions:
count,sum,avg,min,max, etc. - Datasets: The Splunk indexes or data models.
- Filter Condition: Conditions to filter data.
- Field List: Fields to group the statistics by.
| Function | Description | Example |
|---|---|---|
| count | Counts the number of events. | | tstats count where index=_internal |
| sum | Sums the values of a numeric field. | | tstats sum(bytes) where index=web_logs by host |
| avg | Calculates the average value of a numeric field. | | tstats avg(duration) where index=transactions by service |
| min | Finds the minimum value of a numeric field. | | tstats min(response_time) where index=web_logs by endpoint |
| max | Finds the maximum value of a numeric field. | | tstats max(cpu_usage) where index=system_logs by host |
| values | Returns a list of distinct values of a field. | | tstats values(status_code) where index=web_logs by host |
| dc | Counts the distinct values of a field. | | tstats dc(user) where index=authentication by src_ip |
Timespan
The timespan argument in the tstats command allows you to specify a time range for your statistical calculations. This is particularly useful for breaking down data into more granular time intervals for detailed analysis.
Syntax
| tstats [stats-functions] from [datasets] where [filter-condition] by [field-list] _time span=[time-interval]
| Time scale | Syntax | Description |
|---|---|---|
| s | sec | secs | second | seconds | Time scale in seconds. | |
| m | min | mins | minute | minutes | Time scale in minutes. | |
| <hr> | h | hr | hrs | hour | hours | Time scale in hours. |
| d | day | days | Time scale in days. | |
| mon | month | months | Time scale in months. |
Example
To count events in 10-minute intervals:
| tstats count where index=_internal by _time span=10m