eventstats

The eventstats operator aggregates events and adds the results as new fields to the source events.

eventstats is similar to summarize, but it enriches the input events instead of replacing them.

By default, eventstats can aggregate up to 50,000 events at a time. You can change this limit with the MaxNoOfAggregatedEvents parameter.

Syntax

Scope | eventstats [max_events=MaxNoOfAggregatedEvents] [[AggregatedField =] AggregationFunction [, ...]] [by [GroupField =] GroupingExpression [, ...]]

Arguments

  • Scope: The events to aggregate and enrich.
  • MaxNoOfAggregatedEvents: The maximum number of events to aggregate. After reaching this limit, aggregation stops, and all of the input events are enriched with the same, most recent aggregation results. Default: 50000.
  • AggregatedField: Optional name for a field that contains an aggregation result. Defaults to a name derived from the corresponding AggregationFunction.
  • GroupField: Optional name for a group field. Defaults to a name derived from the corresponding GroupingExpression.
  • AggregationFunction: A Cribl or statistical function, with field names as arguments. You can add multiple functions, separated by a comma.
  • GroupingExpression: The expression by which eventstats groups the input events before aggregating them. You can add multiple expressions, separated by a comma.

Results

First, the input events are arranged into groups where the corresponding GroupingExpressions evaluate to the same values.

Then, the specified AggregationFunctions process each group. The results are added to the input events as new fields.

Examples

Calculate the average response time for all events, and add a new field that contains the result.

dataset="cribl_internal_logs"
| eventstats avg(response_time)

Calculate the average response time separately for each distinct value of the src field. Name the result field average_response_time_of_this_src.

dataset="cribl_internal_logs"
| eventstats average_response_time_of_this_src=avg(response_time) by src

Show only those events that have a response time greater than the average.

dataset="cribl_internal_logs"
| eventstats average_response_time=avg(response_time)
| where response_time > average_response_time

Calculate the ratio of events for each HTTP method.

dataset="cribl_internal_logs" method 
| summarize cnt=count() by method
| eventstats total=sum(cnt)
| project method, ratio = floor(cnt * 100 / total)
dataset=$vt_dummy event<1000
| extend randomNumber=rand(10)
| eventstats avg(randomNumber)
Run in Cribl Search
Last updated by: Dritan Bitincka