eventstats ​

The eventstats operator aggregates events and adds the results as new fields to the source events.

eventstats is similar to summarize, but it enriches the input events instead of replacing them.

By default, eventstats can aggregate up to 50,000 events at a time. You can change this limit with the MaxNoOfAggregatedEvents parameter.

Syntax ​

Scope | eventstats [max_events=MaxNoOfAggregatedEvents] [[AggregatedField =] AggregationFunction [, ...]] [by [GroupField =] GroupingExpression [ asc | desc ] [ nulls first | nulls last ] [, ...]]

Arguments ​

• Scope: The events to aggregate and enrich.
• MaxNoOfAggregatedEvents: The maximum number of events to aggregate. After reaching this limit, aggregation stops, and all of the input events are enriched with the same, most recent aggregation results. Default: 50000.
• AggregatedField: Optional name for a field that contains an aggregation result. Defaults to a name derived from the corresponding AggregationFunction.
• GroupField: Optional name for a group field. Defaults to a name derived from the corresponding GroupingExpression.
• AggregationFunction: A Cribl or statistical function, with field names as arguments. You can add multiple functions, separated by a comma. Wildcards are not supported for field names in aggregation functions.
• GroupingExpression: The expression by which eventstats groups the input events before aggregating them. You can add multiple expressions, separated by a comma. After each expression, you can optionally add asc or desc, and nulls first or nulls last (see Group-by Sort Order).

Group-by Sort Order ​

In summarize, eventstats, and timestats, you can specify sort direction and null placement directly on each field in the by clause, instead of using a separate order or sort operator after the aggregation.

After each grouping expression, you can specify:

• asc or desc: Sort direction for that group-by field.
• nulls first or nulls last: Whether null values for that field sort before or after non-null values.

You can combine direction and null placement on each field independently. For example, instead of:

| summarize cnt=count() by tenantId, workspace
| order by tenantId asc, workspace asc

you can write:

| summarize cnt=count() by tenantId asc, workspace asc

The asc, desc, nulls first, and nulls last keywords use the same meaning as in the order operator (including sorting rules).

Results ​

First, the input events are arranged into groups where the corresponding GroupingExpressions evaluate to the same values.

Then, the specified AggregationFunctions process each group. The results are added to the input events as new fields.

In Dashboards, aggregations in child searches are based on the parent search’s results, so if the parent search’s results are capped by a system limit (such as max_results_per_search / Results limit), the child search’s aggregations may be incomplete.

Examples ​

Calculate the average response time for all events, and add a new field that contains the result.

dataset="cribl_internal_logs"
| limit 100
| eventstats avgResponseTime = avg(response_time)

Calculate the average response time separately for each distinct value of the src field. Name the result field srcAvgResponseTime.

dataset="cribl_internal_logs"
| limit 100
| eventstats srcAvgResponseTime = avg(response_time) by src

Show only those events that have a response time greater than the average.

dataset="cribl_internal_logs"
| limit 100
| eventstats avgResponseTime = avg(response_time)
| where response_time > avgResponseTime

Calculate the ratio of events for each HTTP method.

dataset="cribl_internal_logs" method
| limit 1000
| summarize cnt=count() by method
| eventstats total=sum(cnt)
| project method, ratio = (cnt * 100 / total)

dataset=$vt_dummy event<1000
| extend randomNumber=rand(10)
| eventstats avg(randomNumber)