Skip to content

stats

Performs statistical operations on an events stream

Aliases

  • stats
  • aggr
  • aggregate

Synopsis

| stats <function> [as <field>], ... by <field>, ... [with ...]

If no aggregation clause (the by word) is given, stats aggregates all events together without distinction:

| make count=10 showinfo=yes
| eval is_even = even(id)

| stats min(id) as min_id, max(id) as max_id

{
  "min_id": 0,
  "max_id": 9
}

If an aggregation clause (the by word) is given, stats aggregates events based on the by field(s). In the next example, events are aggregated by the value of the field is_even:

| make count=10 showinfo=yes
| eval is_even = even(id)

| stats min(id) as min_id, max(id) as max_id by is_even

{
  "is_even": true,
  "min_id": 0,
  "max_id": 8
}

{
  "is_even": false,
  "min_id": 1,
  "max_id": 9
}

One can check the internal aggregation structures using the aggregates functor (this functor should be treated as a debug functor).

One can also customize some aspect of stats's internals by adding a with clause at the end of the command. This is not a standard use case: Please refers to the technical documentation for more information.

Schema

{
  "additionalProperties": {
    "description": "Aggregates and aggregation fields"
  }
}

Description

stats aggregates events by field(s) and compute statistical values from the events stream using stats functions.

It is important to understand that the event stream is seen as infinite. This implies two majors effects:

  • stats memory will grow overtime
  • stats yields events whoms signatures is computed using their aggregated fields name

If you whish to display stats results, you may use either the output command or print_stats. The advantage of print_stats is that it will display a continuously updated data table instead of JSON object.

Stats functions

Function Syntax Description
count count, count() Count the number of events
min min(<field>) Returns the minimum value of field
max max(<field>) Returns the maximum value of field
values values(<field>) Returns the list of values of field
first first(<field>) Returns the first value of field
last last(<field>) Returns the latest value of field
aggregates aggregates, aggregates() Returns the internal aggregation structures

Examples