Adds summary statistics to all search results.
Generate summary statistics of all existing fields in your search results and saves those statistics in to new fields. The
eventstats command is similar to the stats command. The difference is that with the
eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event.
eventstats [allnum=<bool>] <stats-agg-term>... [<by clause>]
- Syntax: <stats-func>( <evaled-field> | <wc-field> ) [AS <wc-field>]
- Description: A statistical aggregation function. Use the AS clause to place the result into a new field with a name that you specify. The function can be applied to an eval expression, or to a field or set of fields. You can use wild card characters in the field name.
- Syntax: allnum=<bool>
- Description: If true, computes numerical statistics on each field if and only if all of the values of that field are numerical.
- Default: false
- <by clause>
- Syntax: BY <field-list>
- Description: The name of one or more fields to group by.
Descriptions for the stats-func options
- Syntax: avg() | c() | count() | dc() | distinct_count() | first() | last() | list() | max() | median() | min() | mode() | p<int>() | perc<int>() | per_day() | per_hour() | per_minute() | per_second() | range() | stdev() | stdevp() | sum() | sumsq() | values() | var() | varp()
- Description: Functions used with the
eventstatscommand. Each time you invoke the
eventstatscommand, you can use more than one function. However, you can only use one
by clause. For a complete list of statistical functions with descriptions and examples, see Statistical and charting functions.
In the limits.conf file, the
max_mem_usage_mb setting in the
[default] stanza is used to limit how much memory the
eventstats commands use to keep track of information. If the
eventstats command reaches this limit, the command stops adding the requested fields to the search results. You can increase the limit, contingent on the available system memory.
maxresultrows setting in the
[searchresults] stanza specifies the maximum number of results to return. The default value is 50,000. Increasing this limit can result in more memory usage.
Only users with file system access, such as system administrators, can edit the configuration files. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.
If you are using Splunk Cloud and want to change either of these settings, file a Support ticket.
Functions and memory usage
Some functions are inherently more expensive, from a memory standpoint, than other functions. For example, the
distinct_count function requires far more memory than the
count function. The
list functions also can consume a lot of memory.
If you are using the
distinct_count function without a split-by field or with a low-cardinality split-by by field, consider replacing the
distinct_count function with the the
estdc function (estimated distinct count). The
estdc function might result in significantly lower memory usage and run times.
Event order functions
last functions when searching based on time does not produce accurate results.
- To locate the first value based on time order, use the
earliestfunction, instead of the
- To locate the last value based on time order, use the
latestfunction, instead of the
For example, consider the following search.
| eventstats first(LastPass) as LastPass, last(_time) as mostRecentTestTime
| where startTime==LastPass OR _time==mostRecentTestTime
| stats first(startTime) AS startTime, first(status) AS status,
first(histID) AS currentHistId, last(histID) AS lastPassHistId BY testCaseId
When you use the
eventstats commands for ordering events based on time, use the
The following search is the same as the previous search except the
last functions are replaced with the
| eventstats latest(LastPass) AS LastPass, earliest(_time) AS mostRecentTestTime
| where startTime==LastPass OR _time==mostRecentTestTime
| stats latest(startTime) AS startTime, latest(status) AS status,
latest(histID) AS currentHistId, earliest(histID) AS lastPassHistId BY testCaseId
Example 1: Compute the overall average duration and add 'avgdur' as a new field to each event where the 'duration' field exists
... | eventstats avg(duration) AS avgdur
Example 2: Same as Example 1 except that averages are calculated for each distinct value of date_hour and then each event gets the average for its particular value of date_hour.
... | eventstats avg(duration) AS avgdur BY date_hour
Example 3: This searches for spikes in error volume. You can use this search to trigger an alert if the count of errors is higher than average, for example.
eventtype="error" | eventstats avg(foo) AS avg | where foo>avg
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the eventstats command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0