How to query only stats using Spunk Java SDK

tuandinh · ‎06-28-2022

Hi Community,

I'm using Splunk Java SDK in my application, this version to be exact:

implementation group: 'com.splunk', name: 'splunk', version: '1.6.5.0'

In the app, I'm trying to get some stats on a metric from Splunk logs.
Here's the native search command in Splunk

`myapp` "Message of interest" | eventstats min(metricOfInterest) as ft_min max(metricOfInterest) as ft_max avg(metricOfInterest) as ft_avg stdev(metricOfInterest) as ft_stdev | fields ft_min, ft_max, ft_avg, ft_stdev

So this query would return a bunch of events and 4 additional fields ft_min, ft_max, ft_avg, ft_stdev for each event. For the sake of the conversation, let's say there's 200 events matched the search.

In my app, the `SplunkResponse` contains 200 Map<String, Object>, each map represents an event.

What I want is a single entry that contains only `ft_min, ft_max, ft_avg, ft_stdev`. Right now, I can extract it from an event (among those 200), but having all events is too verbose and unnecessary. Is this achievable by twisting the query or using a particular SDK API ?

Thanks,
Tuan

VatsalJagani · ‎06-28-2022

@tuandinh - You need to use stats command instead of eventstats.

`myapp` "Message of interest" | stats min(metricOfInterest) as ft_min max(metricOfInterest) as ft_max avg(metricOfInterest) as ft_avg stdev(metricOfInterest) as ft_stdev | fields ft_min, ft_max, ft_avg, ft_stdev

I hope this helps!!!

How to query only stats using Spunk Java SDK

rest API

SDK

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio