The following sections contain information to help you understand and use the eventstats command.
Differences between eventstats and stats
The eventstats command is similar to the stats command. You can use both commands to generate aggregations like average, sum, and maximum.
The differences between these commands are described in the following table:
| stats command | eventstats command |
|---|---|
| Events are transformed into a table of aggregated search results | Aggregations are placed into a new field that is added to each of the events in your output |
| You can only use the fields in your aggregated results in subsequent commands in the search | You can use the fields in your events in subsequent commands in your search, because the events have not been transformed |
How eventstats generates aggregations
The eventstats command looks for events that contain the field that you want to use to generate the aggregation. The command creates a new field in every event and places the aggregation in that field. The aggregation is added to every event, even events that were not used to generate the aggregation.
For example, you have 4 events and 3 of the events have the field you want to aggregate on, the eventstats command generates the aggregation based on the data in the 3 events. A new field is added all 4events and the aggregation is added to that field in every event. See eventstats command overview.
Limitations and optimizations
There are several default search limitations that might impact using the eventstats command:
- There is default limit to the amount of memory that the
eventstatscommand can use to keep track of information when processing a search. If theeventstatscommand reaches this limit, the command stops adding the requested fields to the search results. - There is default limit for the number of results returned from a search. The default value is 50,000.
You can avoid reaching these limit by filtering out events before you use the eventstats command in your search.
Functions and memory usage
Some functions are inherently more expensive, from a memory standpoint, than other functions. For example:
- The
distinct_countfunction requires far more memory than thecountfunction. - The
valuesandlistfunctions also can consume a lot of memory.
You can avoid running into memory issues by filtering out events before you use the eventstats command in your search.
When to use the estimated distinct count function
If you are using the distinct_count function without a BY clause field or with a low-cardinality field in the BY clause, consider replacing the distinct_count function with the estdc function (estimated distinct count). The estdc function can result in significantly lower memory usage and run times.
Event order functions
When you use the stats and eventstats commands to order events based on time, use the earliest and latest functions.
- To locate the first value based on time order, use the
earliestfunction. - To locate the last value based on time order, use the
latestfunction.
When searching events based on time, the first and last functions do not produce accurate results,
For more information about these functions, see Time functions.
