stats

The stats command is used to calculate statistics over all events in a given search. This command will block the event stream until all events have been received.

Syntax

The stats command is structured as follows:

A list of aggregation functions, that may take an eval expression as an argument; and may have an alias specified with the as keyword to set the name of the resulting field.
- There must always be at least one aggregation function.
An optional by identifier, followed by at least one field name. All unique permutations of the values of these fields will result in a new aggregation group containing a copy of all specified aggregation functions.

Aggregation arguments and by keys can use dot notation to read values from nested objects.

| stats <aggregation>(<expression>) as <output-name> by <field1>, <fieldN>

Aggregation Functions

List of available aggregation functions:

Takes an eval expression argument

sum - Sums the numeric values returned by the expression.
avg - Calculates the average numeric value returned by the expression.
min - Finds the smallest value returned by the expression.
max - Finds the largest value returned by the expression.
unique - Returns the count of unique values returned by the expression.
values - Returns a list of all unique values returned by the expression.

No field name argument

count - Increments a counter for each aggregation group.

Example

Count how many events are associated with each systemd unit:

| select systemd
| stats count() by SYSTEMD_UNIT

will output rows with 2 columns, SYSTEMD_UNIT and count, containing the name of a systemd unit and the number of events associated with it respectively.

Get the number of events + the number of unique systemd units for each host:

| select systemd
| stats count() as event_count, unique(SYSTEMD_UNIT) as unique_units by HOSTNAME

will output rows with 3 columns, HOSTNAME, event_count, and unique_units.

Group by a field inside a nested object:

| stats count() by object.group

Aggregate a calculated value: