Skip to content
SPL // Splunk

Using the eventstats Command

KGI Avatar

Written by: Eric Holsinger | Last Updated:

May 1, 2024
Splunk Search Command Of The Week: eventstats

Originally Published:

December 5, 2023

Splunk, a robust data analysis and visualization tool, offers a spectrum of commands to extract meaningful insights from extensive datasets. Among these commands, the eventstats command stands out. Using the eventstats command provides users with enhanced capabilities for data manipulation and analysis.


What is the eventstats Command in Splunk

The eventstats command in Splunk plays a pivotal role in data enrichment and real-time analytics. It enriches existing events with additional statistical results, think of it as an ‘eval’ command that can perform statistical calculations. This means you can perform calculations over the entire result set without losing individual events, offering a dynamic approach to data analysis.


When to Leverage the eventstats Command

Using the eventstats command proves invaluable when you need real-time calculations or running totals without sacrificing granularity. It’s your go-to tool for on-the-fly statistical insights. Imagine you want to understand the cumulative effect of events over time or calculate the difference between consecutive events—here, eventstats steps in, providing a solution that might be complex with other commands.


Benefits of the eventstats Command
  1. Dynamic Data Enrichment: The eventstats command dynamically enriches your data with running calculations. It can provide instantaneous cumulative sums, averages, or any statistic you need, all while keeping your data intact.
  2. Granular and Robust Analytics: When your analysis requires per-event statistical insights, eventstats shines. Whether you’re tracking the evolution of values or need context-specific calculations, this command ensures granular analytics without sacrificing performance.
  3. Efficient Data Correlation: Efficiency is paramount in data correlation, and eventstats delivers. By allowing the correlation of event-level statistics, it streamlines your queries, making them more readable and efficient. This efficiency translates to quicker and more accurate results.
Here are Some Examples to Help get you Started

Example 1: Dynamic Field Creation

This example dynamically creates a new field, ‘total_sales’, representing the cumulative sum of transaction amounts per product.

| eventstats sum(transaction_amount) as total_sales by product_id


Example 2: Calculating Running Totals and Averages

This example uses eventstats to calculate the running sum of response times and the running count of events, then evaluates the average response time. It provides dynamic insights into how response times evolve over events.

| eventstats sum(response_time) as total_response_time count as events  
| eval avg_response_time = total_response_time / events 


Example 3: Analyzing Deviation from Mean

Here, eventstats assists in analyzing how CPU usage deviates from the mean, providing a nuanced perspective on server performance.

| eventstats avg(cpu_usage) as mean stdev(cpu_usage) as deviation 
| eval deviation_from_mean = (cpu_usage - mean) / deviation



The Splunk eventstats command is a dynamic tool that elevates your data analysis game. Whether you’re aiming for real-time insights, granular analytics, or efficient data correlation, eventstats is your trusty ally. By mastering this command, you open the door to a realm of possibilities, enhancing the efficiency and depth of your data analysis within the Splunk platform.

Helpful? Don't forget to share this post!