eventstats command examples
The following are examples for using the SPL2 eventstats command.
To learn more about the eventstats command, see How the SPL2 eventstats command works.
Many of these examples use the statistical functions. See Overview of SPL2 stats and chart functions.
Calculate the overall average duration
Calculate the overall average duration and place the calculation in a new field called avgdur. Because no BY clause is specified, a single aggregation is created and added to every event.
... | eventstats avg(duration) AS avgdur
A new field called avgdur is created that field contains only one unique value.
Calculate the average duration grouped by a specific field
This example is the same as the previous example except that an average is calculated for each distinct value of the date_minute field. The new field avgdur is added to each event with the average value based on its particular value of date_minute.
... | eventstats avg(duration) AS avgdur BY date_minute
Search for spikes in the volume of errors
This example searches for spikes in error volume in the status field. You can use this search to trigger an alert if the count of errors is higher than average.
| search eventtype="error" | eventstats avg(status) AS avg | where status>avg
See also
- eventstats command
- eventstats command overview
- eventstats command syntax details
- eventstats command usage
| eventstats command usage | expand command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!