Version: 5.3

eventstats

Description

Performs statistical operations on the data. Stores the results in a new field.

Syntax

eventstats <functions-expression> ["," <functions-expression>]  [<by_expression>]

Arguments

See the stats command for a description.

Examples

Example 1

In this example, eventstats adds aggregated values values(message) and dc(user) to events for each user, index group.

source tweets8
| eventstats values (message), dc (user) by user, index

Example 2

In this example, the average value of amount is first calculated for groups category, user, then where keeps only rows with the required average and original value.

source tweets9
| eventstats avg (amount) by category, user
| where 'avg(amount)' == 65 and amount == 120

Example 3

In this example, the command adds aggregated fields to all events, after which eval extracts one of the values from the values(user) array.

source tweets
| eventstats values(user), dc(message)
| eval res = mvindex ('values(user)',1)

Description​

Syntax​

Arguments​

Examples​

Example 1​

Example 2​

Example 3​