Splunk® Cloud Services

SPL2 Search Reference

eventstats command syntax details

The required syntax is in bold.

Syntax

eventstats
[allnum=<bool>]
<aggregation> ...
[<by-clause>]

The AS and BY keywords are displayed in uppercase in the syntax and examples to make the syntax easier to read. You can specify these keywords in uppercase or lowercase.

Required arguments

aggregation
Syntax: <aggregate-function> "("<field>")" [AS <field>] ["," <aggregate-function> "("<field> ")" [AS <field>] ]...
Description: A statistical aggregation function. The function can be applied to an eval expression, or to a field or set of fields. You can specify multiple aggregation functions. Separate each aggregation function with a comma.
By default, the name of the field added to the output is the same as your function. For example, if your search is ... | eventstats avg(bytes) the field name in the output is avg(bytes). Use the AS clause to place the generated result into a new field with a name that you specify, for example ... | eventstats avg(bytes) AS 'avg of bytes'.
The syntax for the <aggregate-function> depends on the function that you use. See Quick Reference for SPL2 Stats and Charting Functions for information about the statistical functions.

Optional arguments

allnum
Syntax: allnum=<bool>
Description: If set to true, computes numerical statistics on each field, if and only if, all of the values in that field are numerical. If you have a BY clause, the allnum argument applies to each group independently.
Default: false
by-clause
Syntax: BY <field> [span=<timespan>] ["," <field> [span=<timespan>] ]...
Description: The name of one or more fields to group the results by. You can specify a time span to apply to the grouping. The <by-clause> returns one row for each distinct value in the <by-clause> fields. You cannot use the wildcard character to specify multiple fields with similar names. You must specify each field separately.
Default: If no <by-clause> is specified, the eventstats command returns only one row, which is the aggregation over the entire incoming result set.

See also

eventstats command
eventstats command overview
eventstats command usage
eventstats command examples
Last modified on 16 May, 2023
eventstats command overview   eventstats command usage

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters