Splunk® Cloud Services

SPL2 Search Reference

eventstats command usage

The following sections contain information to help you understand and use the eventstats command.

Differences between eventstats and stats

The eventstats command is similar to the stats command. You can use both commands to generate aggregations like average, sum, and maximum.

The differences between these commands are described in the following table:

stats command eventstats command
Events are transformed into a table of aggregated search results Aggregations are placed into a new field that is added to each of the events in your output
You can only use the fields in your aggregated results in subsequent commands in the search You can use the fields in your events in subsequent commands in your search, because the events have not been transformed

How eventstats generates aggregations

The eventstats command looks for events that contain the field that you want to use to generate the aggregation. The command creates a new field in every event and places the aggregation in that field. The aggregation is added to every event, even events that were not used to generate the aggregation.

For example, you have 4 events and 3 of the events have the field you want to aggregate on, the eventstats command generates the aggregation based on the data in the 3 events. A new field is added all 4events and the aggregation is added to that field in every event. See eventstats command overview.

Limitations and optimizations

There are several default search limitations that might impact using the eventstats command:

  • There is default limit to the amount of memory that the eventstats command can use to keep track of information when processing a search. If the eventstats command reaches this limit, the command stops adding the requested fields to the search results.
  • There is default limit for the number of results returned from a search. The default value is 50,000.

You can avoid reaching these limit by filtering out events before you use the eventstats command in your search.


Functions and memory usage

Some functions are inherently more expensive, from a memory standpoint, than other functions. For example:

  • The distinct_count function requires far more memory than the count function.
  • The values and list functions also can consume a lot of memory.

You can avoid running into memory issues by filtering out events before you use the eventstats command in your search.

When to use the estimated distinct count function

If you are using the distinct_count function without a BY clause field or with a low-cardinality field in the BY clause, consider replacing the distinct_count function with the estdc function (estimated distinct count). The estdc function can result in significantly lower memory usage and run times.

Event order functions

When you use the stats and eventstats commands to order events based on time, use the earliest and latest functions.

  • To locate the first value based on time order, use the earliest function.
  • To locate the last value based on time order, use the latest function.

When searching events based on time, the first and last functions do not produce accurate results,

For more information about these functions, see Time functions.

See also

eventstats command
eventstats command overview
eventstats command syntax details
eventstats command examples
Last modified on 20 October, 2020
eventstats command syntax details   eventstats command examples

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters