eventstats command overview

The SPL2 eventstats command generates summary statistics from fields in your events and saves those statistics into a new field. The eventstats command places the generated statistics in new field that is added to the original raw events.

Syntax

The required syntax is in bold.

eventstats

[allnum=<bool>]

<stats-agg-term>...

[<by-clause>]

How the SPL2 eventstats command works

It's much easier to see what the SPL2 eventstats command does by showing you examples, using a set of simple events.

These examples use the from command to create a set of events. The streamstats and eval commands are used to create additional fields in the events.

Creating a set of events

Let's start by creating a set of four events by using a dataset literal.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"city": "Seattle"}] | eval _time = now() | streamstats count()

• The from command is used to create four results, which contain the timestamp when the results where created. The dataset literal specifies fields and values for four events. The fields are "age" and "city".
• The last event does not contain the age field.
• The streamstats command is used to create the count field. The streamstats command calculates a cumulative count for each event, at the time the event is processed.

The results of the search look like this:

Using eventstats with a BY clause

The BY clause in the eventstats command is optional, but is used frequently with this command. The BY clause groups the generated statistics by the values in a field. You can use any of the statistical functions with the eventstats command to generate the statistics. See the Quick Reference for SPL2 Stats and Charting Functions.

In this example, the eventstats command generates the average age for each city. The generated averages are placed into a new field called avg(age).

The following search is the same as the previous search, with the eventstats command added at the end:

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"city": "Seattle"}] | eval _time = now() | streamstats count() | eventstats avg(age) BY city

• For San Francisco, the average age is 28 = (25 + 31) / 2.
• For Seattle, there is only one event with a value. The average is 39 = 39 / 1. The eventstats command places that average in every event for Seattle, including events that did not contain a value for age.

The results of the search look like this:

Renaming the new field

By default, the name of the new field that is generated is the name of the statistical calculation. In these examples, that name is avg(age). You can rename the new field using the AS keyword.

In the following search, the eventstats command has been adjusted to rename the new field to average age by city.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"city": "Seattle"}] | eval _time = now() | streamstats count() | eventstats avg(age) AS 'average age by city' BY city

The results of the search look like this:

Events with text values

The previous examples show how an event is processed that does not contain a value in the age field. Let's see how events are processed that contain an alphabetic character value in the field that you want to use to generate statistics.

The following search includes the word test as a value in the age field.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"age":"test", "city": "Seattle"}] | eval _time = now() | streamstats count()

The results of the search look like this:

Let's add the eventstats command to the search.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"age":"test", "city": "Seattle"}] | eval _time = now() | streamstats count() | eventstats avg(age) BY city

The alphabetic values are treated like null values. The results of the search look like this:

Using the allnum argument

But suppose you don't want statistics generated when there are alphabetic characters in the field or the field is empty?

The allnum argument controls how the eventstats command processes field values. The default setting for the allnum argument is FALSE. Which means that the field used to generate the statistics does not need to contain all numeric values. Fields with empty values or alphabetic character values are ignored. You've seen this in the earlier examples.

You can force the eventstats command to generate statistics only when the fields contain all numeric values. To accomplish this, you can set the allnum argument to TRUE.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"age":"test", "city": "Seattle"}] | eval _time = now() | streamstats count() | eventstats allnum=true avg(age) BY city

The results of the search look like this:

Because the age field contains values for Seattle that are not all numbers, the entire set of values for Seattle are ignored. No average is calculated.

The allnum=true argument applies to empty values as well as alphabetic character values.

See also

eventstats command

eventstats command syntax details

eventstats command usage

eventstats command examples

Other commands

stats command overview

streamstats command overview

Blogs

Search commands > stats, eventstats and streamstats