Adds summary statistics to all search results.
eventstats [allnum=<bool>] <stats-agg-term>* [<by clause>]
- Syntax: <stats-func>( <evaled-field> | <wc-field> ) [AS <wc-field>]
- Description: A statistical specifier optionally renamed to a new field name. The specifier can be by an aggregation function applied to a field or set of fields or an aggregation function applied to an arbitrary eval expression.
- Syntax: allnum=<bool>
- Description: If true, computes numerical statistics on each field if and only if all of the values of that field are numerical. (default is false.)
- <by clause>
- Syntax: by <field-list>
- Description: The name of one or more fields to group by.
Stats functions options
- Syntax: avg() | c() | count() | dc() | distinct_count() | first() | last() | list() | max() | median() | min() | mode() | p<in>() | perc<int>() | per_day() | per_hour() | per_minute() | per_second() | range() | stdev() | stdevp() | sum() | sumsq() | values() | var() | varp()
- Description: Functions used with the stats command. Each time you invoke the
statscommand, you can use more than one function; however, you can only use one
by clause. For a list of stats functions with descriptions and examples, see "Functions for stats, chart, and timechart".
Generate summary statistics of all existing fields in your search results and save them as values in new fields. Specify a new field name for the statistics results by using the as argument. If you don't specify a new field name, the default field name is the statistical operator and the field it operated on (for example: stat-operator(field)). Just like the stats command except that aggregation results are added inline to each event and only the aggregations that are pertinent to that event. The allnum option has the same meaning as that option in the stats command.
Example 1: Compute the overall average duration and add 'avgdur' as a new field to each event where the 'duration' field exists
... | eventstats avg(duration) as avgdur
Example 2: Same as Example 1 except that averages are calculated for each distinct value of date_hour and then each event gets the average for its particular value of date_hour.
... | eventstats avg(duration) as avgdur by date_hour
Example 3: This searches for spikes in error volume. You can use this search to trigger an alert if the count of errors is higher than average, for example.
eventtype="error" | eventstats avg(foo) as avg | where foo>avg
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the eventstats command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3