eventstats command overview - Splunk Documentation (2024)

The SPL2 eventstats command generates summary statistics from fields in your events and saves those statistics into a new field. The eventstats command places the generated statistics in new field that is added to the original raw events.

Syntax

The required syntax is in bold.

eventstats
[allnum=<bool>]
<stats-agg-term>...
[<by-clause>]

How the SPL2 eventstats command works

It's much easier to see what the SPL2 eventstats command does by showing you examples, using a set of simple events.

These examples use the from command to create a set of events. The streamstats and eval commands are used to create additional fields in the events.

Creating a set of events

Let's start by creating a set of four events by using a dataset literal.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"city": "Seattle"}]| eval _time = now() | streamstats count()

  • The from command is used to create four results, which contain the timestamp when the results where created. The dataset literal specifies fields and values for four events. The fields are "age" and "city".
  • The last event does not contain the age field.
  • The streamstats command is used to create the count field. The streamstats command calculates a cumulative count for each event, at the time the event is processed.

The results of the search look like this:

_timeagecitycount
02 May 2022 18:32:0725San Francisco1
02 May 2022 18:32:0739Seattle2
02 May 2022 18:32:0731San Francisco3
02 May 2022 18:32:07Seattle4

Using eventstats with a BY clause

The BY clause in the eventstats command is optional, but is used frequently with this command. The BY clause groups the generated statistics by the values in a field. You can use any of the statistical functions with the eventstats command to generate the statistics. See the Quick Reference for SPL2 Stats and Charting Functions.


In this example, the eventstats command generates the average age for each city. The generated averages are placed into a new field called avg(age).

The following search is the same as the previous search, with the eventstats command added at the end:

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"city": "Seattle"}]| eval _time = now() | streamstats count()| eventstats avg(age) BY city

  • For San Francisco, the average age is 28 = (25 + 31) / 2.
  • For Seattle, there is only one event with a value. The average is 39 = 39 / 1. The eventstats command places that average in every event for Seattle, including events that did not contain a value for age.

The results of the search look like this:

_timeageavg(age)citycount
02 May 2022 18:32:072528San Francisco1
02 May 2022 18:32:073939Seattle2
02 May 2022 18:32:073128San Francisco3
02 May 2022 18:32:0739Seattle4

Renaming the new field

By default, the name of the new field that is generated is the name of the statistical calculation. In these examples, that name is avg(age). You can rename the new field using the AS keyword.

In the following search, the eventstats command has been adjusted to rename the new field to average age by city.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"city": "Seattle"}]| eval _time = now() | streamstats count()| eventstats avg(age) AS 'average age by city' BY city

The results of the search look like this:

_timeageaverage age by citycitycount
02 May 2022 18:32:072528San Francisco1
02 May 2022 18:32:073939Seattle2
02 May 2022 18:32:073128San Francisco3
02 May 2022 18:32:0739Seattle4

Events with text values

The previous examples show how an event is processed that does not contain a value in the age field. Let's see how events are processed that contain an alphabetic character value in the field that you want to use to generate statistics.

The following search includes the word test as a value in the age field.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"age":"test", "city": "Seattle"}]| eval _time = now() | streamstats count()


The results of the search look like this:

_timeagecitycount
02 May 2022 18:32:0725San Francisco1
02 May 2022 18:32:0739Seattle2
02 May 2022 18:32:0731San Francisco3
02 May 2022 18:32:07testSeattle4


Let's add the eventstats command to the search.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"age":"test", "city": "Seattle"}]| eval _time = now() | streamstats count()| eventstats avg(age) BY city


The alphabetic values are treated like null values. The results of the search look like this:

_timeageavg(age)citycount
02 May 2022 18:32:072528San Francisco1
02 May 2022 18:32:073939Seattle2
02 May 2022 18:32:073128San Francisco3
02 May 2022 18:32:07test39Seattle4

Using the allnum argument

But suppose you don't want statistics generated when there are alphabetic characters in the field or the field is empty?

The allnum argument controls how the eventstats command processes field values. The default setting for the allnum argument is FALSE. Which means that the field used to generate the statistics does not need to contain all numeric values. Fields with empty values or alphabetic character values are ignored. You've seen this in the earlier examples.

You can force the eventstats command to generate statistics only when the fields contain all numeric values. To accomplish this, you can set the allnum argument to TRUE.

| from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"age":"test", "city": "Seattle"}]| eval _time = now() | streamstats count()| eventstats allnum=true avg(age) BY city


The results of the search look like this:

_timeageavg(age)citycount
02 May 2022 18:32:072528San Francisco1
02 May 2022 18:32:0739Seattle2
02 May 2022 18:32:073128San Francisco3
02 May 2022 18:32:07testSeattle4

Because the age field contains values for Seattle that are not all numbers, the entire set of values for Seattle are ignored. No average is calculated.

The allnum=true argument applies to empty values as well as alphabetic character values.

See also

eventstats command
eventstats command syntax details
eventstats command usage
eventstats command examples
Other commands
stats command overview
streamstats command overview
Blogs
Search commands > stats, eventstats and streamstats
eventstats command overview - Splunk Documentation (2024)

References

Top Articles
Latest Posts
Article information

Author: Nicola Considine CPA

Last Updated:

Views: 6345

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Nicola Considine CPA

Birthday: 1993-02-26

Address: 3809 Clinton Inlet, East Aleisha, UT 46318-2392

Phone: +2681424145499

Job: Government Technician

Hobby: Calligraphy, Lego building, Worldbuilding, Shooting, Bird watching, Shopping, Cooking

Introduction: My name is Nicola Considine CPA, I am a determined, witty, powerful, brainy, open, smiling, proud person who loves writing and wants to share my knowledge and understanding with you.