Splunk- Transforming Commands

The search must transform the event data into statistical data tables to create visualizations of the charts. These statistical tables are required for visualization of charts and other kinds of data. In this section, we will explain how to use transform commands to extract data from events.

It will provide a piece of brief information on transforming commands and searches for more information about transforming commands and their role in creating statistical tables and chart visualizations.

Transforming

A transforming command commands the results of the search to a table of data. Such commands "transform" the specified cell values for each event into numerical values, which can be used for statistical purposes by Splunk software. Transforming commands are also necessary to transform the search result data into the data structures required for visualizations such as column, bar, line, area, and pie charts.

If used to measure column totals (not row totals), transforming commands include a map, timecart, details, top, uncommon, and addtotals.

Our search must transform the event data into statistical data tables to create visualizations of the charts. These statistical tables are needed for visualization of charts and other kinds of data. Here we will learn how to use the transform commands to extract data from events.

This Splunk tutorial explains the major transforming command categories and offers examples of how they can be used in a search.

Transforming commands

The primary transforming commands are:

  • charts: Build charts that can show any data series you wish to plot. On the chart's x-axis, you can determine which field is tracked.
  • timechart: Used to create reports about "trend over time," which means that time is always the x-axis.
  • top: Generates charts that show the most common field values.
  • rare: Create charts that display the least common field values.
  • stats: Produces a report displaying summary statistics.

Note: We always place our transforming commands after our search commands, linking them to a pipe operator.

The commands Chart, Timechart, and Stats are all intended to work with statistical functions. The list of statistical functions available are:

  • count, distinct count
  • mean, median, mode
  • min, max, range, percentiles
  • standard deviation, variance
  • sum
  • the first occurrence, last occurrence

Some statistical functions only work with the timechart command.

Note: All searches create different data structures with transforming commands. The different chart forms allow these data structures to be set up in particular ways. For example, not all searches will enable us to generate bar, column, line, and area charts. They are automatically chosen as per the need of the data. The charts are selected in which it can be best represented.

We can use real-time search to measure metrics on large incoming data flows in real-time, without using summary indexing. However, our report on a live and continuous data stream will update the timeline as the events come in, and we can only display the table or map in preview mode. Certain search commands will also be more applicable for real-time use.

Highlight

This command is used to highlight particular words in the result set of searches. It is used by providing a highlight feature with the search terms as arguments. Separating them with a comma provides several search words.

In the example below, we look at the result set for terms, safari, and butter.

NOTE
The example in this tutorial is used for the different datasets as in the place of safari and butter. We can use any other keyword we want to search in our database.

Splunk Transforming Commands

Chart

The chart command is a command that is used for transformation, which will return the result that is requested by the used in the form of a table. Then we can use the result to display the data as a map like an area, line, column, etc. In the example which is stated below, we are creating a horizontal bar chart for each type of file, and we are plotting it by the average byte size.

Splunk Transforming Commands

Stats

The command stats are used to transform the dataset for the search result into the different statistical representations, which depend on the type of parameter or argument we are going to provide for this command. We are using the count function stats command in the below example. In this example, we will count the number of files generated on the day of the week. This result of the search string will be displayed in the tabular form in which the rows are created for every day.

Splunk Transforming Commands
Next TopicSplunk Reports Generation




Learn Important Tutorial

B.Tech / MCA

Preparation

Logo

We provides tutorials and interview questions of all technology like java tutorial, android, java frameworks

Contact info

G-13, 2nd Floor, Sec-3, Noida, UP, 201301, India

[email protected].

Follow us
FacebookTwitterRssBlogspotYoutube

Latest Post

PRIVACY POLICY

Tutorials
Java Data Structures C Programming C++ Tutorial C# Tutorial PHP Tutorial HTML Tutorial JavaScript Tutorial jQuery Tutorial Spring Tutorial
Interview Questions
Tcs Intuit Wipro Adobe Infosys Amazon Accenture Cognizant Capgemini Microsoft
Online Compiler
C R C++ Php Java Html Swift Python JavaScript TypeScript
© Copyright 2024 Javatpoint. All Rights Reserved.