Splunk Search Command of the Week: STATS

Here’s the situation: You’re a security analyst that’s been tasked with finding different attacks on your servers. You need to find various events relating to possible brute force attempts, suspicious web page visits, or even suspicious downloads.

This probably isn’t much of a hypothetical — it might be a reality for a lot of people. We get it. Security is incredibly important in the era of technology. Fortunately, Splunk makes it easy to find this information, by using the STATS search command.

With the Splunk search command, STATS, the name says it all: it calculates statistics. Those statistical calculations include count, average, minimum, maximum, standard deviation, etc.  By using the STATS search command, you can find a high-level calculation of what’s happening to our machines.

|stats <aggregation> BY <field>

<aggregation> = count, avg(), max(), sum()

STATS Use Cases

Let’s take a look at a couple of use cases:

Use Case #1: You want to look at the number of failed login attempts.

index=_audit action="login attempt" info=failed | stats count by user
Figure 1 - Number of failed logins by user
Figure 1 – Number of failed logins by user


Use Case #2: You want to identify values like average, shortest, and the longest runtime on saved searches.

index=_internal sourcetype="scheduler" search_type=scheduled | stats avg(run_time) min(run_time) max(run_time)
Figure 2 - Average, shortest, and longest runtime of saved searches
Figure 2 – Average, shortest, and longest runtime of saved searches

STATS Results

STATS can help provide a strong overview of the activity within your environment. While STATS is a fairly simple command it can provide huge insights about your data. When paired with other commands like iplocation or lookup you can enrich your data to find anomalies such as interactions from certain countries or blacklisted IP addresses.   

Ask the Experts

Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!