Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Clarification regarding search command and stats command

Justin1224
Communicator
‎09-22-2016 12:16 PM

Hey everyone,

I'm confused about what the second command in my search does. Here is the whole search:

| useraccounts_tracker | search user_category=default | stats max(lastTime) as _time, values(user_category) as user_category, dc(dest) as dc(dest) by user | sort 100 - _time | fields _time,user,user_category,dc(dest)

Specifically what I'm unsure about:
-What does the search user_category=default command do?
-What does the stats max(lastTime) as _time, values(user_category) as user_category, dc(dest) as dc(dest) by user command do? I know when it says "as" it's renaming fields. So other than that, what is it doing?

Any help would be appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-22-2016 12:33 PM 
| `useraccounts_tracker` --->  generating/fetching data. Need to know the macro definition to know source of the data
| search user_category=default ---> From the fetched data, filtering result which satisfy the filter condition (value of user_category is default
| stats max(lastTime) as _time, values(user_category) as user_category, dc(dest) as dc(dest) by user ----> From the filtered results, generate statistics, group by field user, to get max of field lastTime and rename as field _time, list all uniue values of the field user_category as itself, get distinct count of field dest as field "dc(dest)".
| sort 100 - _time  ---> sort the results from stats command in descending order of field _time and select first 100 records
| fields _time,user,user_category,dc(dest) ---> selecting only the required fields and setting the order of the display.

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-22-2016 12:33 PM 
| `useraccounts_tracker` --->  generating/fetching data. Need to know the macro definition to know source of the data
| search user_category=default ---> From the fetched data, filtering result which satisfy the filter condition (value of user_category is default
| stats max(lastTime) as _time, values(user_category) as user_category, dc(dest) as dc(dest) by user ----> From the filtered results, generate statistics, group by field user, to get max of field lastTime and rename as field _time, list all uniue values of the field user_category as itself, get distinct count of field dest as field "dc(dest)".
| sort 100 - _time  ---> sort the results from stats command in descending order of field _time and select first 100 records
| fields _time,user,user_category,dc(dest) ---> selecting only the required fields and setting the order of the display.
Reply
Solved! Jump to solution

Justin1224
Communicator
‎09-23-2016 07:55 AM

That helps a lot, thank you!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...