SPLK-1001 Using Basic Transforming Commands
Using Basic Transforming Commands
Detailed list of SPLK-1001 knowledge points
Using Basic Transforming Commands Detailed Explanation
5.1 Introduction to Transforming Commands
What Are Transforming Commands?
- Transforming commands take raw search results and transform them into structured data, usually in a table format.
- These commands are essential for:
- Summarizing large datasets.
- Generating insights through statistical analysis.
- Preparing data for visualizations like charts or dashboards.
Key Characteristics
- Output Format:
- Always produces a tabular output.
- Each row represents a group or category.
- Each column contains calculated values or statistics.
- Use Cases:
- Dashboards: Display metrics like event counts or averages.
- Reports: Create summaries like "Top 10 Hosts with Errors."
5.2 Common Transforming Commands
1. stats
Purpose:
- The
statscommand performs statistical calculations, such as:count: Total number of events.sum: Sum of values in a numeric field.avg: Average value of a numeric field.min: Minimum value.max: Maximum value.
- The
Syntax:
stats <function>(<field>) by <grouping_field>Example 1: Basic Count:
index=main | stats countOutput:
count 1000
Example 2: Grouped Count:
index=main | stats count by hostOutput:
host count server1 100 server2 200
Example 3: Multiple Calculations:
index=main | stats count, avg(response_time) by hostOutput:
host count avg(response_time) server1 100 250 server2 200 300
2. top and rare
Purpose:
top: Lists the most frequently occurring values in a field.rare: Lists the least frequently occurring values in a field.
Syntax:
top <field> rare <field>Example 1:
topCommand:index=main | top hostOutput:
host count percent server1 500 50% server2 300 30% server3 200 20%
Example 2:
rareCommand:index=main | rare hostOutput:
host count percent server7 1 0.1% server8 2 0.2%
3. chart
Purpose:
- The
chartcommand generates tabular data for visualizations like bar, pie, or line charts. - Aggregates data based on specific fields.
- The
Syntax:
chart <function>(<field>) by <field>Example:
index=main | chart avg(response_time) by hostOutput:
host avg(response_time) server1 250 server2 300
Use Cases:
- Visualize average response time per server in a bar chart.
- Compare sums of sales across different regions.
4. timechart
Purpose:
- Similar to
chart, but optimized for time-based data. - Automatically groups results into time intervals (e.g., minutes, hours).
- Similar to
Syntax:
timechart <function>(<field>) by <field>Example:
index=main | timechart count by hostOutput:
_time server1 server2 2025-01-01 00:00 50 60 2025-01-01 01:00 40 70
Use Cases:
- Monitor server errors over time.
- Track sales trends by region.
5. table
Purpose:
- Displays specific fields in a clean, tabular format.
- Does not perform any calculations.
Syntax:
table <field1>, <field2>, ...Example:
index=main | table host, response_timeOutput:
host response_time server1 200 server2 300
Use Cases:
- Export data for reporting.
- Display only relevant fields to reduce clutter.
6. fields
Purpose:
- Includes or excludes specific fields in the results.
- Improves search performance by reducing unnecessary data.
Syntax:
fields <field1>, <field2>, ...Example 1: Include Fields:
index=main | fields host, source- Only includes
hostandsourcefields in the output.
- Only includes
Example 2: Exclude Fields:
index=main | fields -source- Excludes the
sourcefield from the output.
- Excludes the
5.3 Combining Transforming Commands
Transforming commands can be combined using pipelines (
|) to refine and structure the results further.Example:
index=main | stats avg(response_time) as avg_time by host | sort -avg_time- Explanation:
stats avg(response_time) as avg_time by host:- Calculates the average response time per host.
sort -avg_time:- Sorts the results by
avg_timein descending order.
- Sorts the results by
- Explanation:
Advanced Example:
index=main | stats count by host | top limit=5 host- Explanation:
- Counts events by
host. - Displays the top 5 hosts based on event count.
- Counts events by
- Explanation:
Key Takeaways
- Transforming commands are powerful tools for summarizing and visualizing data.
- Each command has a specific purpose:
statsfor statistics.top/rarefor frequency analysis.chart/timechartfor visualizations.tableandfieldsfor simplifying output.
- Combining commands with pipelines lets you create complex workflows.
Using Basic Transforming Commands (Additional Content)
1. Introduction to Transforming Commands
Transforming commands are a key part of Splunk SPL and are used to aggregate, group, and structure raw event data.
Key Point: Transforming Commands Start a New Context
A transforming command always begins a new search pipeline.
When used after a non-transforming command such as
searchoreval, the pipeline changes from event-based results to aggregation-based output.
Example:
index=main error | stats count by host
- This starts with a raw event search (
index=main error) and then switches to aggregated, tabular output viastats.
2. Common Transforming Commands – Detailed Notes
stats Command
The stats command performs statistical calculations such as:
count,sum,avg,max,min,values,dc, etc.
Syntax Example with Alias:
index=main | stats avg(response_time) as avg_time by host
The use of aliasing (
as avg_time) allows you to:Improve readability in dashboards.
Use consistent field names across visualizations.
top and rare Commands
These commands provide frequency-based aggregation.
| Command | Purpose | Output Fields |
|---|---|---|
top |
Shows most frequent | field, count, percent |
rare |
Shows least frequent | field, count, percent |
Example:
index=main | top status_code
- Returns the most common
status_codevalues, including their count and percentage.
chart vs. stats
While both perform aggregation, their output formats differ:
| Command | Output Style | Use Case Example |
|---|---|---|
chart |
Columnar format (good for graphs) | chart avg(response_time) by host |
stats |
Row-wise aggregation | stats avg(response_time) by host |
chart is especially helpful when you need visual layout for bar or pie charts, whereas stats is used for raw summary data.
timechart Command
The timechart command is optimized for time-series visualizations.
| Use Case | Description |
|---|---|
timechart count |
Shows total event trend over time (no field breakdown) |
timechart count by host |
Displays a line/column chart with each host as a series |
Tip: If no by is specified, the result is a single-series trend; adding by creates multiple series.
table vs. fields
| Command | Purpose | Exam Tip |
|---|---|---|
table |
Formats data as a column view | Does not remove duplicates or sort automatically |
fields |
Includes/excludes fields | Used to reduce data volume and improve performance |
Common Misconception:
Many learners believe
tablesorts or deduplicates — it does not.Use
sortanddedupexplicitly if needed.
Example:
index=main | table host, status
- Displays only the
hostandstatusfields — order and duplicates remain unchanged.
3. Combining Transforming Commands – SPL Limitation
Transforming commands such as stats, chart, timechart, top, etc., cannot be chained together directly.
Invalid Example:
index=main | stats count by host | chart avg(response_time) by host
This query will fail, because only one transforming command is allowed per pipeline.
Valid Workaround (using subsearch):
If you must combine logic, you should restructure using:
Subsearches, or
Break up the logic into multiple dashboards or saved searches.
Exam-Ready Summary Table
| Command | Key Features |
|---|---|
stats |
Aggregates data; supports aliases via as; outputs row format |
chart |
Outputs column format, good for bar/pie charts |
timechart |
Ideal for trend analysis; by adds series |
top/rare |
Adds count and percent automatically |
table |
Formats fields into columns; does not sort or deduplicate |
fields |
Controls which fields appear; improves performance |
| Combining | Only one transforming command per pipeline allowed |
Final Notes for SPLK-1001 Candidates
Know the differences between
stats,chart, andtimechart.Understand that
tableis display-only, not an analytical tool.Be cautious when attempting to chain multiple aggregations — Splunk will not allow it without structural modification.
Expect questions that ask you to analyze incorrect usage of SPL commands in search pipelines.
Frequently Asked Questions
What does the stats command do in Splunk?
The stats command calculates aggregate statistics such as count, sum, average, or maximum values from search results.
stats is one of the most important transforming commands in Splunk. It converts raw events into summarized statistical results. For example:
index=web | stats count by status
This counts how many events exist for each HTTP status code. The command groups events by the specified field and calculates the chosen metric. Because it transforms events into statistical tables, raw event data is no longer available after the command runs. Understanding how stats aggregates data is heavily tested in the SPLK-1001 exam.
Demand Score: 90
Exam Relevance Score: 96
What does the top command do in Splunk?
The top command displays the most common values of a field along with their count and percentage.
For example:
index=web | top uri
This command identifies which URI values appear most frequently in the dataset. The output includes the count and percentage of each value. top is commonly used to quickly identify dominant values such as frequently accessed pages or most common error codes. The exam often tests understanding of which command is used to identify the most frequent values.
Demand Score: 86
Exam Relevance Score: 92
What does the rare command do in Splunk?
The rare command identifies the least common values of a specified field.
Example:
index=web | rare status
This command shows values that appear infrequently in the dataset. Security analysts often use this command to identify anomalies or unusual activity, such as rare login attempts or uncommon system events. The exam blueprint specifically lists the rare command, making it a likely exam topic.
Demand Score: 82
Exam Relevance Score: 91
What is the main difference between stats and top commands?
stats performs customizable statistical calculations, while top specifically returns the most frequent values with counts and percentages.
stats is flexible and supports many aggregation functions such as count, sum, avg, and max. In contrast, top is a convenience command that automatically calculates counts and percentages of the most common values. For example:
| stats count by user
vs.
| top user
Both produce frequency information, but top automatically adds percentage information and sorts the results. Understanding this difference helps users choose the correct command in search scenarios.
Demand Score: 84
Exam Relevance Score: 94
Why can you no longer see raw events after using the stats command?
Because stats transforms raw events into aggregated statistical results.
Transforming commands summarize data and replace raw event output with calculated values. After stats runs, the result set contains only aggregated fields and values. Commands that require raw event data cannot run after a transforming command unless the search is rewritten. The certification exam often checks whether candidates understand the difference between event processing commands and transforming commands.
Demand Score: 80
Exam Relevance Score: 93
Which command would you use to identify the most frequent source IP addresses in logs?
Use the top command with the IP field.
Example:
index=firewall | top src_ip
This command displays the most common source IP addresses in the dataset along with counts and percentages. Analysts use this to quickly identify high-volume sources, which could indicate popular clients or potential attacks. The exam frequently tests whether candidates know which command identifies most common values in a dataset.
Demand Score: 83
Exam Relevance Score: 95
