Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

eventstats command examples

The following are examples for using the SPL2 eventstats command. To learn more about the eventstats command, see How the SPL2 eventstats command works.

Many of these examples use the statistical functions. See Overview of SPL2 stats and chart functions.

Calculate the overall average duration

Calculate the overall average duration and place the calculation in a new field called avgdur. Because no BY clause is specified, a single aggregation is created and added to every event.

... | eventstats avg(duration) AS avgdur

A new field called avgdur is created that field contains only one unique value.

Calculate the average duration grouped by a specific field

This example is the same as the previous example except that an average is calculated for each distinct value of the date_minute field. The new field avgdur is added to each event with the average value based on its particular value of date_minute.

... | eventstats avg(duration) AS avgdur BY date_minute

Search for spikes in the volume of errors

This example searches for spikes in error volume in the status field. You can use this search to trigger an alert if the count of errors is higher than average.

| search eventtype="error" | eventstats avg(status) AS avg | where status>avg

See also

eventstats command
eventstats command overview
eventstats command syntax details
eventstats command usage
Blogs
Search commands > stats, eventstats and streamstats
Last modified on 31 January, 2024
PREVIOUS
eventstats command usage
  NEXT
expand command overview

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters