Tag: stats

Splunk | Visualizations learning

Posted on by HQW

Few important tips to take note of

Here we can see about Field Extraction and table formatting

| fields – to make searches more efficient, main part of search

  • -fieldname fieldname2 is different for – fieldname fieldname2

it makes search more efficient if the fields are included or excluded.

| table – like fields- but changes data to tabulated format (transforming command)

fields to be used before using the table command

| dedup – to remove duplicate values form the values displayed in the events/rows

  1. count ex:
  2. top, limit: top vendor limit=5
  3. rare
  4. showperc=true/false
  5. otheruser=true

Few of the Stats commands

  1. count ex: stats count as “column name” by field name
  2. distinct count ex:
  3. sum
  4. average
  5. min
  6. max
  7. list
  8. values

Chart

| chart count over status

count of a field can be noted in x axis, y always numeric as the data mentioned in x axis can be displayed based on the count.

Questions and Answers:

  1. Which of the following removes the duplicate? dedup.
  2. In a single series data table, which column provides the x-axis values for the visualization? 1st column?
  3. Which optional argument of the addtotals command changes the label for row totals in a table? label.
  4. Which clause can be used with the top command to change the name of the count column? countfield.
  5. Which clause can be used with the top command to specify a number of values to return? limit.
  6. Which command changes the appearance of field values? fieldformat.
  7. How many columns are displayed by default when using the chart command? 10.
  8. Which type of default map visualization uses shading to represent relative metrics? chloropleth.
  9. Which of the following commands can return a count of all events matching a search criteria over a specific time period? trendline sma/ema/wma
  10. When using the time chart command, which axis represents time? x-axis.
  11. How can the order of columns in a table be changed? By changing the order of fields specified in the table command.
  12. Which argument can be used with the time chart command to specify the time range to use when grouping events? span.
  13. Which clause can be used with the rare command to specify whether a percentage column is created? showperc.
  14. Which command can be used to exclude fields from search results? fields.
  15. Which argument can be used with geostats command to control the column count? globallimit.