eventstats
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
eventstats
Synopsis
Adds summary statistics to all search results.
Syntax
eventstats [allnum=bool] [stats-agg-term]* [by-clause]
Arguments
- allnum
- Datatype: <bool>
- Description: The 'allnum' option has the same meaning as that option in the stats command
- stats-agg-term
- Syntax:
- Description:
- by-clause
- Syntax:
- Description:
Description
Generate summary statistics of all existing fields in your search results and save them as values in new fields. Specify a new field name for the statistics results by using the as argument. If you don't specify a new field name, the default field name is the statistical operator and the field it operated on (for example: stat-operator(field)). Just like the 'stats' command except that aggregation results are added inline to each event, and only the aggregations that are pertinent to that event. The 'allnum' option has the same meaning as that option in the stats command. See stats-command for detailed descriptions of syntax.
Examples
Example 1: Same as example1 except that averages are calculated for each distinct value of date_hour and the aggregate value that is added to each event is the aggregate that perhaps to the value of date_hour in that event.
... | eventstats avg(duration) as avgdur by date_hourExample 2: Compute the overall average duration and add 'avgdur' as a new field to each event where the 'duration' field exists
... | eventstats avg(duration) as avgdur
See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.