eventstats command: Examples

The following are examples for using the SPL2 eventstats command. To learn more about the eventstats command, see How the SPL2 eventstats command works.

Many of these examples use the statistical functions. See Overview of SPL2 stats and chart functions.

Calculate the overall average duration

Calculate the overall average duration and place the calculation in a new field called avgdur. Because no BY clause is specified, a single aggregation is created and added to every event.

... | eventstats avg(duration) AS avgdur

A new field called avgdur is created that field contains only one unique value.

Calculate the average duration grouped by a specific field

This example is the same as the previous example except that an average is calculated for each distinct value of the date_minute field. The new field avgdur is added to each event with the average value based on its particular value of date_minute.

... | eventstats avg(duration) AS avgdur BY date_minute

Search for spikes in the volume of errors

This example searches for spikes in error volume in the status field. You can use this search to trigger an alert if the count of errors is higher than average.

| search eventtype="error" | eventstats avg(status) AS avg | where status>avg

Documentation

eventstats command: Examples

Calculate the overall average duration

Calculate the average duration grouped by a specific field

Search for spikes in the volume of errors

See also