-
[Music]
-
welcome to another lame log analysis
-
made easy tutorial this one we're going
-
to talk about stats event stats and
-
stream stats and we're basically this
-
this uh tutorial will be to brief you on
-
the difference between the three and
-
they are slightly different I'm going to
-
try different a few different ways to
-
show it and hopefully by the end of this
-
uh tutorial you'll have a good idea of
-
how they can be used uh I'll put another
-
video on after this one of use cases for
-
example analytic hunting and stuff that
-
you might actually use the different
-
queries for but let's start first off
-
stats command um I just started here
-
index equals internal table is source
-
and Source type stats give me the
-
distinct Count Of The Source by The
-
Source type um DC is distinct count so
-
basically I'm looking at internal log I
-
just want to do something you could do
-
it uh anywhere you want and I'm just uh
-
getting all the distinct sources by
-
Source type when I ran that I see that
-
this Source type uh Splunk assist
-
internal log has two sources uh this one
-
has three most of these just have one
-
this one Splunk D has four sources and
-
what you'll not what it does is it takes
-
155,156
-
in case you ever want to get Splunk
-
certified or hear these things these are
-
transformation commands transformation
-
commands take logs and change them into
-
primarily into tables uh it it takes the
-
raw log format and turns it into a table
-
often with stats you'll collapse like
-
here massive reduction uh anyway and
-
we've done that so let's show that stats
-
let's show event stats event stats it's
-
going to take oh um here very another
-
example of that command we're going to
-
just use this is uh corite index I'm
-
looking at my connection logs I'm doing
-
Source IP destination I'm still staying
-
with the stats command here I'm going to
-
give me give me all of the distinct
-
counts of destination IPS to a source IP
-
so how many different IP addresses did
-
each Source IP go to there were 31,800
-
total events but it only displays 81
-
because it collapses them down I can see
-
that 192 1680 103 went to 33 different
-
addresses 25 7 10 43 Etc and that is
-
stats now look let's look at event stats
-
event stats going back to my original
-
example we had 155,000 18 events showed
-
here the exact same query give me a
-
distinct count on this
-
internal what you'll notice is I had
-
55,1 18 results come back close enough
-
clearly was based off when they ran uh
-
and how many displays
-
155,156 up as individual lines of the
-
entire group so it's going to go look at
-
this entire data set and come back with
-
the statistical numbers for each line
-
and so we can if we move on we'll see
-
when Splunk metric log
-
changes somewhere down the line we'll
-
eventually get there it changes now we
-
have this access log and there's just
-
one unique two unique and so each here
-
you got the two you
-
can and two blah blah and down the lines
-
we go
-
so basically this is just statistic
-
stating and each line gets it stuff
-
added to
-
it another example using my corite logs
-
hopefully this pushes it out here's my
-
source IP here's my destination IP uh
-
one of the things you'll notice be
-
careful with stats you lose values when
-
you use stats so here has stats 10,000
-
um I would need to do something
-
different to allow me to have be able to
-
bring back more than 10,000 events but
-
just so I I'm we're just going to move
-
on and ignore the fact that if I had let
-
the limits be as big it would be
-
31780 events and so I come back and we
-
can see how many times did zero how many
-
different IP addresses did 0.0.0 talk to
-
one this it t and it doesn't matter how
-
many times it shows up it only talked
-
one time now here we can see
-
133 it t it says there were two we can
-
see the first one 192 168
-
0.125
-
125 125 125 still the same but somewhere
-
around here there's going to be oh there
-
it is this one here there's my that's
-
the second one and that's why we have
-
two but it marks two to every one of
-
these
-
events and same if I had something with
-
three or up like here 44 if I count it
-
all that there will be 44 distinct IP
-
addresses uh in all these pairings that
-
go together here I've got two which is
-
251
-
119 that's why I've got
-
two so event stats it'll take the
-
entire uh beginning to end of all your
-
data do its mathematical analysis and
-
every log that came back will get that
-
value written into it stream stats does
-
slightly different stream stats I'm
-
going to show my last example here
-
NOP this one's my last example nope
-
where did I put that that okay this one
-
here I'm just going to show stream stats
-
actually does very similar to what event
-
stats does but it takes each line as it
-
comes through the uh stream from the
-
indexer and computes it and keeps
-
growing so for example here I did a head
-
100 I've I'm not going to use any of the
-
values I'm just going to say stream
-
stats count and I just want to know so
-
if you done stats count if I done a head
-
100 and I do a stats count guess what
-
the Count's going to be 100 or less if
-
there's not 100 values that come back uh
-
but if I do stream stats I'm going to
-
count as a event count so I can see it
-
growing and I'm going to table it and
-
the very first value that comes back it
-
says how many total events are there
-
well when the first event comes back
-
there'll be one then when the second
-
event comes back how many total will
-
there be two when the third one comes in
-
line how many will be there be three
-
four five six seven Etc until I reach
-
the back and it's 100 so what happens is
-
this statistical number keeps growing as
-
the items come through the stream event
-
stats totals the
-
entire uh bundle from beginning to end
-
statistical numbers and puts them on
-
each line stream stats takes each line
-
as it comes through and does the math on
-
them so let's show another kind of
-
putting this in practice here this is my
-
internal logs Source we're doing the
-
stinct count 11111 and we can basically
-
okay so 1111111 nothing's
-
changing is there a place where we get
-
something that
-
changes uh too much all right let's see
-
we might go
-
to my bro log make it
-
easier yeah too many of these to uh mess
-
around with we'll go to bro I I did
-
stream stats not that one stream stats
-
here I'm doing
-
IPS and so we can see here
-
one so all these come back it talked how
-
many times has 468 talked here how many
-
distinct IPS one still when it comes
-
here is it seeing anything new nope so
-
it's one seeing anything new nope it's
-
one so is it seeing anything new nope
-
it's one oh wait this is a new IP
-
pairing so the number jumps to two now
-
it flips back but it's already seen that
-
one so it stays at two two two two two
-
two and then when it reaches a Brand New
-
Pair how many times has it seen this one
-
talk to this one goes back to one then
-
it grows again because oh there's a new
-
there's new communication there so two
-
two two oh brand new communication so it
-
resets back to one and so that's what
-
stream stats will do it will based off
-
your pairing the buy each time you have
-
a buy on there if the the uh that field
-
changes the count restarts if I didn't
-
put a Buy in
-
there this number would just keep R keep
-
growing each time it finds a new
-
distinct count on the destination
-
IP and basically it's just going to keep
-
adding up and so you've got stats which
-
Aggregates all of your F all of your
-
events into uh very simplified forms and
-
it does statistical for the
-
entire uh the entire summarized set of
-
data there then you have event stats
-
which it grabs the entire from beginning
-
to end does the mathematical statistics
-
on it and adds that value to each line
-
and it repeats it so if there were seven
-
distinct values here all seven would
-
have the exact same value and stream
-
stats it orders it it basically each
-
item coming through the pipe through the
-
stream will change your statistics and
-
so you're not it will it will it's a
-
different way of looking at it all three
-
are different ways of of uh looking at
-
statistical packages statist uh getting
-
some understanding of the data as that
-
flows through but that's basic principle
-
if you want it quick and dirty you want
-
just a summarized bit of data on there
-
stats is your stats is your is
-
keing and stream stats is on the other
-
example where you're basically looking
-
for anomalies or averages over time over
-
the period And I will be showing another
-
tutorial right after this of useful
-
queries where you can change the windows
-
and change how it groups things together
-
but stream stats is one of the is an
-
amazing query for being able to know do
-
do previous values have an effect on
-
future values for looking for anomalies
-
and and so anyway I hope this helps you
-
from being a lame analyst to a Splunk
-
ninja and if you like this uh feel free
-
to subscribe to my Channel please uh put
-
down below any comments questions you
-
might have any content you want me to uh
-
uh do a video on I love to hear from you
-
guys I like to do content that you guys
-
want to see anyway I hope you'll keep
-
coming back and uh keep watching these
-
videos
