eventstats

Calculate statistics and add results to all events without aggregating rows.

Description

The eventstats command computes aggregate statistics and adds them as fields to every event. Unlike stats which reduces rows, eventstats preserves all events and enriches them with aggregate values.

This is useful for comparing individual events against group statistics or calculating percentages.

Syntax

... | eventstats <function>([field]) [as <alias>] [by <field>]

Arguments

Same aggregation functions as stats.

Examples

Add total count to each event

* | eventstats count() as total_events

Compare to group average

* | eventstats avg(bytes) as avg_bytes by src_ip
  | where bytes > avg_bytes * 2

Calculate percentage

* | eventstats count() as total
  | stats count() as subset by action
  | eval percentage = (subset / total) * 100

Add group statistics

* | eventstats sum(bytes) as total_bytes, dc(dest_ip) as unique_dests by src_ip

Identify outliers

* | eventstats avg(response_time) as avg_time, stdev(response_time) as std_time by endpoint
  | where response_time > (avg_time + (3 * std_time))

Rank within group

* | eventstats max(bytes) as max_bytes by user
  | where bytes = max_bytes

Add context to events

* | eventstats dc(user) as unique_users, count() as total_events by src_ip
  | table timestamp, src_ip, user, action, unique_users, total_events

Usage Notes

Preserves rows: All events remain in results with added aggregate fields.

vs. stats: Use stats to aggregate, eventstats to enrich.

vs. streamstats: eventstats calculates across all events, streamstats calculates running values.

Performance: More expensive than stats since all rows are preserved.

stats - Aggregate and reduce rows
streamstats - Running statistics
eval - Calculate per-event values

eventstats

On this page