Splunk - Mastering SPL (Transforming and Streaming commands)

Splunk - Mastering SPL (Transforming and Streaming commands). Develop a knack!

Distinct Count V/s estdc
index=main sourcetype=access_combined_wcookie
| stats dc(clientip) AS "distinct client ips"

BY Clause (Splitting)
index=main sourcetype=access_combined_wcookie
| stats count BY method, action, categoryId

Functions
index=main sourcetype=access_combined_wcookie
| stats
max(bytes) AS "Largest",
min(bytes) AS "Smallest",
avg(bytes) AS "Average",
perc95(bytes) AS "95th percentile"

Values/List for stats
index=main sourcetype="access_combined_wcookie" status=5*
| stats
count AS "Total Server Errors",
values(uri_path) AS "Unique URI accessed"
BY status

First time HTTP error code 503 was received
index=main sourcetype="access_combined_wcookie" status=503
| stats earliest(_raw) AS "First event "

Last event from this IP: clientip="117.21.246.164"
index=main sourcetype="access_combined_wcookie" clientip="117.21.246.164"
| stats latest(_raw) AS "Last event from 117.21.246.164"

Eventstats
index=main sourcetype="access_combined_wcookie" action=purchase
| stats count by categoryId
| eventstats avg(count) as avgcount
| table categoryId count avgcount


Streamstats (RANKING for categories)
index=main sourcetype="access_combined_wcookie" action=purchase
| stats count as "total purchases" by categoryId
| sort 5 - "total purchases"
| streamstats count as rank

RARE
Lowest 2 selling categories
index=main sourcetype="access_combined_wcookie" action=purchase categoryId!=NULL
| rare limit=2 categoryId

Lowest selling product for each category
index=main sourcetype="access_combined_wcookie" action=purchase categoryId!=NULL
| rare productId by categoryId limit=1

CHART (span argument)
index=main sourcetype="access_combined_wcookie" action=purchase categoryId!=NULL
| chart count by bytes span=1000

index=main sourcetype="access_combined_wcookie"
| chart count over categoryId by productId limit=4 usenull=f useother=f