Skip to main content

eventstats

Description

Performs statistical operations on the data. Stores the results in a new field.

Syntax

eventstats <functions-expression> ["," <functions-expression>]  [<by_expression>]

Arguments

See the stats command for a description.

Example Queries

Example #1
source tweets8
| eventstats values(message), dc(user) by user, index

Example #2
source tweets9
| eventstats avg(amount) by category, user
| where 'avg(amount)' == 65 and amount == 120

Example #3
source tweets
| eventstats values(user), dc(message)
| eval res = mvindex('values(user)', 1)

Description
Syntax
Arguments
Example Queries