[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:08.70,Default,,0000,0000,0000,,[Music].
Dialogue: 0,0:00:10.20,0:00:13.04,Default,,0000,0000,0000,,Welcome to another L.A.M.E. (Log Analysis
Dialogue: 0,0:00:13.04,0:00:15.08,Default,,0000,0000,0000,,Made Easy) tutorial. In this one, we're going
Dialogue: 0,0:00:15.08,0:00:19.20,Default,,0000,0000,0000,,to talk about stats, event stats, and
Dialogue: 0,0:00:19.20,0:00:21.72,Default,,0000,0000,0000,,stream stats. And we're... Basically,
Dialogue: 0,0:00:21.72,0:00:24.32,Default,,0000,0000,0000,,this tutorial will brief you on
Dialogue: 0,0:00:24.32,0:00:26.52,Default,,0000,0000,0000,,the difference between the three, and
Dialogue: 0,0:00:26.52,0:00:27.92,Default,,0000,0000,0000,,they are slightly different. I'm going to
Dialogue: 0,0:00:27.92,0:00:29.24,Default,,0000,0000,0000,,try a few different ways to
Dialogue: 0,0:00:29.24,0:00:31.32,Default,,0000,0000,0000,,show it, and hopefully, by the end of this
Dialogue: 0,0:00:31.32,0:00:33.76,Default,,0000,0000,0000,,tutorial, you'll have a good idea of
Dialogue: 0,0:00:33.76,0:00:36.24,Default,,0000,0000,0000,,how they can be used. I'll put another
Dialogue: 0,0:00:36.24,0:00:39.08,Default,,0000,0000,0000,,video after this one with use cases, for
Dialogue: 0,0:00:39.08,0:00:40.60,Default,,0000,0000,0000,,example, analytic hunting and stuff that
Dialogue: 0,0:00:40.60,0:00:42.60,Default,,0000,0000,0000,,you might actually use the different
Dialogue: 0,0:00:42.60,0:00:45.88,Default,,0000,0000,0000,,queries for. But let's start. First off, the
Dialogue: 0,0:00:45.88,0:00:48.48,Default,,0000,0000,0000,,stats command. I just started here with
Dialogue: 0,0:00:48.48,0:00:50.92,Default,,0000,0000,0000,,index = internal, table is source
Dialogue: 0,0:00:50.92,0:00:53.28,Default,,0000,0000,0000,,and sourcetype, stats give me the
Dialogue: 0,0:00:53.28,0:00:55.32,Default,,0000,0000,0000,,distinct count of the source by the
Dialogue: 0,0:00:55.32,0:00:59.08,Default,,0000,0000,0000,,sourcetype. DC is distinct count.
Dialogue: 0,0:00:59.08,0:01:00.56,Default,,0000,0000,0000,,Space count, looking at an internal log. I
Dialogue: 0,0:01:00.56,0:01:01.64,Default,,0000,0000,0000,,just want to do something you can do
Dialogue: 0,0:01:01.64,0:01:04.72,Default,,0000,0000,0000,,anywhere you want, and I'm just
Dialogue: 0,0:01:04.72,0:01:06.56,Default,,0000,0000,0000,,getting all the distinct sources by
Dialogue: 0,0:01:06.56,0:01:09.48,Default,,0000,0000,0000,,sourcetype. When I ran that, I see that
Dialogue: 0,0:01:09.48,0:01:12.67,Default,,0000,0000,0000,,this sourcetype, Splunk_assist_internal_log,
Dialogue: 0,0:01:12.67,0:01:14.84,Default,,0000,0000,0000,,has two sources. This one
Dialogue: 0,0:01:14.84,0:01:17.00,Default,,0000,0000,0000,,has three. Most of these just have one.
Dialogue: 0,0:01:17.00,0:01:20.12,Default,,0000,0000,0000,,This one, Splunk_d, has four sources. And
Dialogue: 0,0:01:20.12,0:01:25.27,Default,,0000,0000,0000,,what you'll note is it takes 55,151 events
Dialogue: 0,0:01:25.27,0:01:26.66,Default,,0000,0000,0000,,and collapses them down.
Dialogue: 0,0:01:26.66,0:01:29.88,Default,,0000,0000,0000,,It is a transforming command. I use these terms
Dialogue: 0,0:01:29.88,0:01:31.36,Default,,0000,0000,0000,,in case you ever want to get Splunk
Dialogue: 0,0:01:31.36,0:01:33.12,Default,,0000,0000,0000,,certified or hear these things. These are
Dialogue: 0,0:01:33.12,0:01:34.84,Default,,0000,0000,0000,,transformation commands. Transformation
Dialogue: 0,0:01:34.84,0:01:38.04,Default,,0000,0000,0000,,commands take logs and change them into
Dialogue: 0,0:01:38.04,0:01:40.84,Default,,0000,0000,0000,,primarily tables. If it takes the
Dialogue: 0,0:01:40.84,0:01:43.32,Default,,0000,0000,0000,,raw log format and turns it into a table, an
Dialogue: 0,0:01:43.32,0:01:45.32,Default,,0000,0000,0000,,option with stats will collapse, like
Dialogue: 0,0:01:45.32,0:01:48.40,Default,,0000,0000,0000,,here, a massive reduction. Anyway,
Dialogue: 0,0:01:49.48,0:01:52.51,Default,,0000,0000,0000,,we've done that. So let's show stats.
Dialogue: 0,0:01:53.08,0:01:56.20,Default,,0000,0000,0000,,Let's show event stats. Event stats is
Dialogue: 0,0:01:56.20,0:02:00.76,Default,,0000,0000,0000,,going to take--oh, here’s another
Dialogue: 0,0:02:00.76,0:02:02.20,Default,,0000,0000,0000,,example of that command we’re going to
Dialogue: 0,0:02:02.20,0:02:04.96,Default,,0000,0000,0000,,just use. This is correlate index. I’m
Dialogue: 0,0:02:04.96,0:02:06.52,Default,,0000,0000,0000,,looking at my connection logs. I’m doing
Dialogue: 0,0:02:06.52,0:02:08.48,Default,,0000,0000,0000,,source IP, destination. I’m still staying
Dialogue: 0,0:02:08.48,0:02:10.60,Default,,0000,0000,0000,,with the stats command. Here, I'm going to
Dialogue: 0,0:02:10.60,0:02:12.36,Default,,0000,0000,0000,,give me all the distinct
Dialogue: 0,0:02:12.36,0:02:14.96,Default,,0000,0000,0000,,counts of destination IPs to a source IP.
Dialogue: 0,0:02:14.96,0:02:17.92,Default,,0000,0000,0000,,So how many different IP addresses did
Dialogue: 0,0:02:17.92,0:02:21.32,Default,,0000,0000,0000,,each source IP go to? There were 31,800
Dialogue: 0,0:02:21.32,0:02:23.44,Default,,0000,0000,0000,,total events, but it only displays 81
Dialogue: 0,0:02:23.44,0:02:26.84,Default,,0000,0000,0000,,because it collapses them down. I can see
Dialogue: 0,0:02:26.84,0:02:31.04,Default,,0000,0000,0000,,that 192.168.0.103 went to 33 different
Dialogue: 0,0:02:31.04,0:02:35.96,Default,,0000,0000,0000,,addresses, 25, 7, 10, 40, 43, etc. And that is
Dialogue: 0,0:02:35.96,0:02:39.48,Default,,0000,0000,0000,,stats. Now look, let's look at event stats.
Dialogue: 0,0:02:39.48,0:02:41.28,Default,,0000,0000,0000,,Event stats, going back to my original
Dialogue: 0,0:02:41.28,0:02:45.39,Default,,0000,0000,0000,,example, we had 155,118 events shown.
Dialogue: 0,0:02:46.00,0:02:48.12,Default,,0000,0000,0000,,Here, the exact same query gave me a
Dialogue: 0,0:02:48.12,0:02:49.96,Default,,0000,0000,0000,,distinct count on this
Dialogue: 0,0:02:49.96,0:02:53.92,Default,,0000,0000,0000,,internal. What you'll notice is I had
Dialogue: 0,0:02:53.92,0:02:58.20,Default,,0000,0000,0000,,155,118 results come back--close enough.
Dialogue: 0,0:02:58.20,0:03:01.44,Default,,0000,0000,0000,,Clearly, it was based on when they ran,
Dialogue: 0,0:03:01.44,0:03:05.05,Default,,0000,0000,0000,,and how many displays? 155,118.
Dialogue: 0,0:03:28.68,0:03:32.08,Default,,0000,0000,0000,,All your statistics show up as individual lines of the
Dialogue: 0,0:03:32.08,0:03:33.80,Default,,0000,0000,0000,,entire group. So, it's going to go look at
Dialogue: 0,0:03:33.80,0:03:35.96,Default,,0000,0000,0000,,this entire dataset and come back with
Dialogue: 0,0:03:35.96,0:03:38.64,Default,,0000,0000,0000,,the statistical numbers for each line.
Dialogue: 0,0:03:38.64,0:03:40.56,Default,,0000,0000,0000,,And so, we can... if we move on we'll see
Dialogue: 0,0:03:40.56,0:03:42.88,Default,,0000,0000,0000,,when Splunk metric log
Dialogue: 0,0:03:42.88,0:03:44.96,Default,,0000,0000,0000,,changes. Somewhere down the line, we'll
Dialogue: 0,0:03:44.96,0:03:47.84,Default,,0000,0000,0000,,eventually get there. It changes. Now we
Dialogue: 0,0:03:47.84,0:03:50.16,Default,,0000,0000,0000,,have this access log, and there's just
Dialogue: 0,0:03:50.16,0:03:53.12,Default,,0000,0000,0000,,one unique, two unique. And so each--here
Dialogue: 0,0:03:53.12,0:03:55.12,Default,,0000,0000,0000,,you’ve got the two. You
Dialogue: 0,0:03:55.12,0:03:59.08,Default,,0000,0000,0000,,can and two, blah blah blah. And down the lines
Dialogue: 0,0:03:59.08,0:03:59.82,Default,,0000,0000,0000,,we go.
Dialogue: 0,0:04:00.76,0:04:02.76,Default,,0000,0000,0000,,So basically, this is just statistic,
Dialogue: 0,0:04:02.76,0:04:05.12,Default,,0000,0000,0000,,stating, and each line gets its stuff
Dialogue: 0,0:04:05.12,0:04:06.16,Default,,0000,0000,0000,,added to it.
Dialogue: 0,0:04:06.16,0:04:10.36,Default,,0000,0000,0000,,Another example using my Corelight logs,
Dialogue: 0,0:04:10.36,0:04:12.64,Default,,0000,0000,0000,,hopefully, this pushes out. Here's my
Dialogue: 0,0:04:12.64,0:04:15.88,Default,,0000,0000,0000,,source IP. Here's my destination IP.
Dialogue: 0,0:04:15.88,0:04:17.08,Default,,0000,0000,0000,,One of the things you’ll notice: be
Dialogue: 0,0:04:17.08,0:04:19.72,Default,,0000,0000,0000,,careful with stats. You lose values when
Dialogue: 0,0:04:19.72,0:04:23.52,Default,,0000,0000,0000,,you use stats. So here has stats 10,000.
Dialogue: 0,0:04:23.52,0:04:24.68,Default,,0000,0000,0000,,I would need to do something
Dialogue: 0,0:04:24.68,0:04:26.56,Default,,0000,0000,0000,,different to allow me to
Dialogue: 0,0:04:26.56,0:04:28.88,Default,,0000,0000,0000,,bring back more than 10,000 events. But
Dialogue: 0,0:04:28.88,0:04:30.76,Default,,0000,0000,0000,,just so you know, we're just going to move
Dialogue: 0,0:04:30.76,0:04:33.24,Default,,0000,0000,0000,,on and ignore the fact that if I let
Dialogue: 0,0:04:33.24,0:04:35.20,Default,,0000,0000,0000,,the limits be as big, it would be
Dialogue: 0,0:04:35.20,0:04:38.60,Default,,0000,0000,0000,,31,780 events. And so I come back, and we
Dialogue: 0,0:04:38.60,0:04:41.72,Default,,0000,0000,0000,,can see how many times did zero, how many
Dialogue: 0,0:04:41.72,0:04:45.28,Default,,0000,0000,0000,,different IP addresses did 0.0.0.0 talk to?
Dialogue: 0,0:04:45.28,0:04:47.84,Default,,0000,0000,0000,,One. This is it, and it doesn’t matter how
Dialogue: 0,0:04:47.84,0:04:49.52,Default,,0000,0000,0000,,many times it shows up. It only talked
Dialogue: 0,0:04:49.52,0:04:52.24,Default,,0000,0000,0000,,one time. Now here, we can see
Dialogue: 0,0:04:52.24,0:04:56.20,Default,,0000,0000,0000,,133. It says there were two. We can
Dialogue: 0,0:04:56.20,0:05:03.85,Default,,0000,0000,0000,,see the first one, 192.168.0.125. 120.5, 120.5, 120.5, still the same.
Dialogue: 0,0:05:03.85,0:05:05.24,Default,,0000,0000,0000,,But somewhere
Dialogue: 0,0:05:05.24,0:05:06.52,Default,,0000,0000,0000,,around here, there's going to be--oh, there
Dialogue: 0,0:05:06.52,0:05:09.56,Default,,0000,0000,0000,,it is. This one here, there's
Dialogue: 0,0:05:09.56,0:05:10.92,Default,,0000,0000,0000,,my second one, and that's why we have
Dialogue: 0,0:05:10.92,0:05:14.48,Default,,0000,0000,0000,,two. But it marks two for every one of these events.
Dialogue: 0,0:05:15.84,0:05:18.44,Default,,0000,0000,0000,,And same if I had something with
Dialogue: 0,0:05:18.44,0:05:21.40,Default,,0000,0000,0000,,three or more, like here 44. If I count it
Dialogue: 0,0:05:21.40,0:05:24.28,Default,,0000,0000,0000,,all, there will be 44 distinct IP
Dialogue: 0,0:05:24.28,0:05:27.20,Default,,0000,0000,0000,,addresses in all these pairings that
Dialogue: 0,0:05:27.20,0:05:31.56,Default,,0000,0000,0000,,go together. Here, I've got two, which is 251119.
Dialogue: 0,0:05:31.56,0:05:34.00,Default,,0000,0000,0000,,That's why I've got two.
Dialogue: 0,0:05:34.00,0:05:37.92,Default,,0000,0000,0000,,So event stats, it'll take the entire
Dialogue: 0,0:05:37.92,0:05:40.52,Default,,0000,0000,0000,,beginning to end of all your
Dialogue: 0,0:05:40.52,0:05:43.16,Default,,0000,0000,0000,,data, do its mathematical analysis, and
Dialogue: 0,0:05:43.16,0:05:45.88,Default,,0000,0000,0000,,every log that came back will get that
Dialogue: 0,0:05:45.88,0:05:49.16,Default,,0000,0000,0000,,value written into it. Stream stats does
Dialogue: 0,0:05:49.16,0:05:52.16,Default,,0000,0000,0000,,slightly differently. Stream stats, I'm
Dialogue: 0,0:05:52.16,0:05:55.20,Default,,0000,0000,0000,,going to show my last example here.
Dialogue: 0,0:05:55.20,0:05:58.88,Default,,0000,0000,0000,,This one’s my last example. Nope.
Dialogue: 0,0:05:58.88,0:06:02.20,Default,,0000,0000,0000,,Where did I put that? Okay. This one
Dialogue: 0,0:06:02.20,0:06:05.48,Default,,0000,0000,0000,,here, I’m just going to show--stream stats
Dialogue: 0,0:06:05.48,0:06:07.48,Default,,0000,0000,0000,,actually does very similarly to what event
Dialogue: 0,0:06:07.48,0:06:10.08,Default,,0000,0000,0000,,stats does, but it takes each line as it
Dialogue: 0,0:06:10.08,0:06:12.64,Default,,0000,0000,0000,,comes through the stream from the
Dialogue: 0,0:06:12.64,0:06:15.08,Default,,0000,0000,0000,,indexer and computes it and keeps
Dialogue: 0,0:06:15.08,0:06:18.68,Default,,0000,0000,0000,,growing. So for example here, I did a head
Dialogue: 0,0:06:18.68,0:06:21.00,Default,,0000,0000,0000,,100. I’m not going to use any of the
Dialogue: 0,0:06:21.00,0:06:22.12,Default,,0000,0000,0000,,values. I’m just gonna say stream
Dialogue: 0,0:06:22.12,0:06:24.76,Default,,0000,0000,0000,,stats count. I just want to know. So
Dialogue: 0,0:06:24.76,0:06:27.92,Default,,0000,0000,0000,,if you’d done stats count, if I’d done a head
Dialogue: 0,0:06:27.92,0:06:29.60,Default,,0000,0000,0000,,100 and I do a stats count, guess what the
Dialogue: 0,0:06:29.60,0:06:32.84,Default,,0000,0000,0000,,count’s going to be? 100 or less if
Dialogue: 0,0:06:32.84,0:06:35.04,Default,,0000,0000,0000,,there aren’t 100 values that come back.
Dialogue: 0,0:06:35.04,0:06:36.92,Default,,0000,0000,0000,,But if I do stream stats, my
Dialogue: 0,0:06:36.92,0:06:38.84,Default,,0000,0000,0000,,count has event count so I can see it
Dialogue: 0,0:06:38.84,0:06:41.52,Default,,0000,0000,0000,,growing. And I’m going to table it. And
Dialogue: 0,0:06:41.52,0:06:42.96,Default,,0000,0000,0000,,the very first value that comes back, it
Dialogue: 0,0:06:42.96,0:06:45.12,Default,,0000,0000,0000,,says, how many total events are there?
Dialogue: 0,0:06:45.12,0:06:46.68,Default,,0000,0000,0000,,Well, when the first event comes back,
Dialogue: 0,0:06:46.68,0:06:48.80,Default,,0000,0000,0000,,there’ll be one. Then when the second
Dialogue: 0,0:06:48.80,0:06:50.16,Default,,0000,0000,0000,,event comes back, how many will
Dialogue: 0,0:06:50.16,0:06:52.60,Default,,0000,0000,0000,,there be? Two. When the third one comes in
Dialogue: 0,0:06:52.60,0:06:54.84,Default,,0000,0000,0000,,line, how many will there be? 3.
Dialogue: 0,0:06:54.84,0:06:57.64,Default,,0000,0000,0000,,4, 5, 6, 7, etc., until I reach
Dialogue: 0,0:06:57.64,0:07:01.80,Default,,0000,0000,0000,,the back, and it’s 100. So what happens is
Dialogue: 0,0:07:01.80,0:07:04.80,Default,,0000,0000,0000,,the statistical number keeps growing as
Dialogue: 0,0:07:04.80,0:07:07.64,Default,,0000,0000,0000,,the items come through the stream. Event
Dialogue: 0,0:07:07.64,0:07:09.44,Default,,0000,0000,0000,,stats totals the
Dialogue: 0,0:07:09.44,0:07:12.36,Default,,0000,0000,0000,,entire bundle from beginning to end,
Dialogue: 0,0:07:12.36,0:07:13.84,Default,,0000,0000,0000,,statistical numbers, and puts them on
Dialogue: 0,0:07:13.84,0:07:16.36,Default,,0000,0000,0000,,each line. Stream stats takes each line
Dialogue: 0,0:07:16.36,0:07:19.28,Default,,0000,0000,0000,,as it comes through and does the math on
Dialogue: 0,0:07:19.28,0:07:21.28,Default,,0000,0000,0000,,them. So let’s show another, kind of
Dialogue: 0,0:07:21.28,0:07:24.80,Default,,0000,0000,0000,,putting this into practice here. These are my
Dialogue: 0,0:07:24.80,0:07:28.13,Default,,0000,0000,0000,,internal logs. Source--we’re doing the distinct count.
Dialogue: 0,0:07:28.13,0:07:30.84,Default,,0000,0000,0000,,11111. And we could basically... okay.
Dialogue: 0,0:07:30.84,0:07:33.08,Default,,0000,0000,0000,,So, 11111. Nothing's changing.
Dialogue: 0,0:07:34.40,0:07:36.44,Default,,0000,0000,0000,,Is there a place where we get
Dialogue: 0,0:07:36.44,0:07:38.55,Default,,0000,0000,0000,,something that changes?
Dialogue: 0,0:07:42.76,0:07:45.68,Default,,0000,0000,0000,,Too much. Alright. Let’s see.
Dialogue: 0,0:07:45.68,0:07:47.52,Default,,0000,0000,0000,,We might go
Dialogue: 0,0:07:47.52,0:07:51.68,Default,,0000,0000,0000,,to my bro log. Make it easier.
Dialogue: 0,0:07:52.51,0:07:55.28,Default,,0000,0000,0000,,Yeah. Too many of these to mess
Dialogue: 0,0:07:55.28,0:07:57.56,Default,,0000,0000,0000,,around with. We’ll go to bro. I did
Dialogue: 0,0:07:57.56,0:08:00.59,Default,,0000,0000,0000,,stream stats. Not that one. Stream stats here.
Dialogue: 0,0:08:00.59,0:08:02.88,Default,,0000,0000,0000,,I’m doing IPs.
Dialogue: 0,0:08:02.88,0:08:06.48,Default,,0000,0000,0000,,And so we can see here, one.
Dialogue: 0,0:08:06.48,0:08:09.48,Default,,0000,0000,0000,,So all these come back. Well, it talked. How
Dialogue: 0,0:08:09.48,0:08:12.28,Default,,0000,0000,0000,,many times has 468 talked here? How many
Dialogue: 0,0:08:12.28,0:08:16.28,Default,,0000,0000,0000,,distinct IPs? One. Still, when it comes
Dialogue: 0,0:08:16.28,0:08:17.88,Default,,0000,0000,0000,,here, is it seeing anything new? Nope. So
Dialogue: 0,0:08:17.88,0:08:20.12,Default,,0000,0000,0000,,it's one. Seeing anything new? Nope. It's
Dialogue: 0,0:08:20.12,0:08:21.92,Default,,0000,0000,0000,,one. So is it seeing anything new? Nope.
Dialogue: 0,0:08:21.92,0:08:25.08,Default,,0000,0000,0000,,It's one. Oh, wait. This is a new IP
Dialogue: 0,0:08:25.08,0:08:28.48,Default,,0000,0000,0000,,pairing. So the number jumps to two. Now
Dialogue: 0,0:08:28.48,0:08:30.32,Default,,0000,0000,0000,,it flips back, but it’s already seen that
Dialogue: 0,0:08:30.32,0:08:33.68,Default,,0000,0000,0000,,one, so it stays at two. 2, 2, 2, 2,
Dialogue: 0,0:08:33.68,0:08:37.00,Default,,0000,0000,0000,,2. And then when it reaches a brand new
Dialogue: 0,0:08:37.00,0:08:39.36,Default,,0000,0000,0000,,pair, how many times has it seen this one
Dialogue: 0,0:08:39.36,0:08:42.28,Default,,0000,0000,0000,,talk to this one? It goes back to one and then
Dialogue: 0,0:08:42.28,0:08:44.12,Default,,0000,0000,0000,,it grows again because, oh, there’s a new--
Dialogue: 0,0:08:44.12,0:08:46.32,Default,,0000,0000,0000,,there’s a new communication there. So 2,
Dialogue: 0,0:08:46.32,0:08:49.44,Default,,0000,0000,0000,,2, 2... Oh, brand new communication, so it
Dialogue: 0,0:08:49.44,0:08:52.48,Default,,0000,0000,0000,,resets back to one. And so that’s what
Dialogue: 0,0:08:52.48,0:08:55.00,Default,,0000,0000,0000,,stream stats will do. It will, based off
Dialogue: 0,0:08:55.00,0:08:57.72,Default,,0000,0000,0000,,your pairing, by each time you have
Dialogue: 0,0:08:57.72,0:09:00.20,Default,,0000,0000,0000,,a by on there, the field
Dialogue: 0,0:09:00.20,0:09:03.80,Default,,0000,0000,0000,,changes, and the count restarts. If I didn’t
Dialogue: 0,0:09:03.80,0:09:05.32,Default,,0000,0000,0000,,put a by in there,
Dialogue: 0,0:09:05.32,0:09:07.88,Default,,0000,0000,0000,,this number would just keep
Dialogue: 0,0:09:07.88,0:09:09.36,Default,,0000,0000,0000,,growing each time it finds a new
Dialogue: 0,0:09:09.36,0:09:11.32,Default,,0000,0000,0000,,distinct count on the destination
Dialogue: 0,0:09:11.32,0:09:13.76,Default,,0000,0000,0000,,IP. And basically, it’s just going to keep
Dialogue: 0,0:09:13.76,0:09:16.92,Default,,0000,0000,0000,,adding up. So you’ve got stats, which
Dialogue: 0,0:09:16.92,0:09:18.72,Default,,0000,0000,0000,,aggregates all of your
Dialogue: 0,0:09:18.72,0:09:22.20,Default,,0000,0000,0000,,events into very simplified forms, and
Dialogue: 0,0:09:22.20,0:09:24.48,Default,,0000,0000,0000,,it does statistics for the
Dialogue: 0,0:09:24.48,0:09:27.92,Default,,0000,0000,0000,,entire, the entire summarized set of
Dialogue: 0,0:09:27.92,0:09:31.52,Default,,0000,0000,0000,,data there. Then you have event stats,
Dialogue: 0,0:09:31.52,0:09:33.64,Default,,0000,0000,0000,,which grabs the entire data set from beginning
Dialogue: 0,0:09:33.64,0:09:36.08,Default,,0000,0000,0000,,to end, does the mathematical statistics
Dialogue: 0,0:09:36.08,0:09:38.40,Default,,0000,0000,0000,,on it, and adds that value to each line,
Dialogue: 0,0:09:38.40,0:09:41.96,Default,,0000,0000,0000,,repeating it. So if there were seven
Dialogue: 0,0:09:41.96,0:09:43.72,Default,,0000,0000,0000,,distinct values here, all seven would
Dialogue: 0,0:09:43.72,0:09:46.52,Default,,0000,0000,0000,,have the exact same value. And stream
Dialogue: 0,0:09:46.52,0:09:49.16,Default,,0000,0000,0000,,stats? It orders it. Basically, each
Dialogue: 0,0:09:49.16,0:09:50.56,Default,,0000,0000,0000,,item coming through the pipe, through the
Dialogue: 0,0:09:50.56,0:09:54.00,Default,,0000,0000,0000,,stream, will change your statistics. And
Dialogue: 0,0:09:54.00,0:09:55.88,Default,,0000,0000,0000,,so it’s a
Dialogue: 0,0:09:55.88,0:09:57.60,Default,,0000,0000,0000,,different way of looking at it. All three
Dialogue: 0,0:09:57.60,0:09:59.72,Default,,0000,0000,0000,,are different ways of looking at
Dialogue: 0,0:09:59.72,0:10:02.36,Default,,0000,0000,0000,,statistical packages. So, just getting
Dialogue: 0,0:10:02.36,0:10:03.92,Default,,0000,0000,0000,,some understanding of the data as it
Dialogue: 0,0:10:03.92,0:10:06.20,Default,,0000,0000,0000,,flows through. But that's the basic principle.
Dialogue: 0,0:10:06.20,0:10:08.20,Default,,0000,0000,0000,,If you want it quick and dirty, you want
Dialogue: 0,0:10:08.20,0:10:10.44,Default,,0000,0000,0000,,just a summarized bit of data on there,
Dialogue: 0,0:10:10.44,0:10:12.92,Default,,0000,0000,0000,,stats is your
Dialogue: 0,0:10:12.92,0:10:15.52,Default,,0000,0000,0000,,key. Stream stats is the other
Dialogue: 0,0:10:15.52,0:10:17.44,Default,,0000,0000,0000,,example where you're basically looking
Dialogue: 0,0:10:17.44,0:10:21.20,Default,,0000,0000,0000,,for anomalies or averages over time, over
Dialogue: 0,0:10:21.20,0:10:24.16,Default,,0000,0000,0000,,the period. And I will be showing another
Dialogue: 0,0:10:24.16,0:10:26.24,Default,,0000,0000,0000,,tutorial right after this one with useful
Dialogue: 0,0:10:26.24,0:10:27.92,Default,,0000,0000,0000,,queries where you can change the windows
Dialogue: 0,0:10:27.92,0:10:30.72,Default,,0000,0000,0000,,and change how it groups things together.
Dialogue: 0,0:10:30.72,0:10:32.88,Default,,0000,0000,0000,,But stream stats is an
Dialogue: 0,0:10:32.88,0:10:36.16,Default,,0000,0000,0000,,amazing query for being able to know
Dialogue: 0,0:10:36.16,0:10:38.60,Default,,0000,0000,0000,,if previous values have an effect on
Dialogue: 0,0:10:38.60,0:10:41.36,Default,,0000,0000,0000,,future values, especially when looking for anomalies.
Dialogue: 0,0:10:41.36,0:10:44.04,Default,,0000,0000,0000,,Anyway, I hope this helps you in your journey
Dialogue: 0,0:10:44.04,0:10:46.48,Default,,0000,0000,0000,,from being a L.A.M.E. analyst to a Splunk
Dialogue: 0,0:10:46.48,0:10:49.44,Default,,0000,0000,0000,,ninja. If you like this, feel free
Dialogue: 0,0:10:49.44,0:10:51.80,Default,,0000,0000,0000,,to subscribe to my channel. Please, put
Dialogue: 0,0:10:51.80,0:10:53.60,Default,,0000,0000,0000,,down below any comments or questions you
Dialogue: 0,0:10:53.60,0:10:56.36,Default,,0000,0000,0000,,might have, or any content you want me to
Dialogue: 0,0:10:56.36,0:10:58.32,Default,,0000,0000,0000,,do a video on. I love to hear from you
Dialogue: 0,0:10:58.32,0:10:59.76,Default,,0000,0000,0000,,guys. I like to do content you
Dialogue: 0,0:10:59.76,0:11:01.84,Default,,0000,0000,0000,,want to see. Anyway, I hope you’ll keep
Dialogue: 0,0:11:01.84,0:11:04.94,Default,,0000,0000,0000,,coming back, and keep watching these videos.