stats
Use this command to provide summary statistics, optionally grouped by a field. The output for this query includes one field for each of the fields specified in the query, along with one field for each aggregation.
Syntax
-
The limit for the export operation that involves
statscommand withBYclause is 10000 records. -
While the
evalcommand creates new fields by using existing fields and arbitrary expressions, thestatscommand calculates statistics based on existing fields.
stats <stats_function> (<field_name>) [as new_field_name] [, <stats_function> (<field_name>) [as new_field_name]]* [by <field_name> (, <field_name>)*]Parameters
The following table lists the parameters used with this command, along with their descriptions.
| Parameter | Description |
|---|---|
|
|
Use this parameter to specify the field according to which you want the results to be grouped. |
Functions
The following table lists the functions available with this command, along with their examples.
| Function | Examples |
|---|---|
|
Average Note: This function is supported only for numeric fields. |
|
|
Count Note: |
|
|
Values |
|
|
Unique |
|
|
Earliest |
|
|
Latest |
|
|
Trend |
|
|
Distinct Count |
|
|
Maximum Note: This function is supported only for numeric fields. |
|
|
Median Note: This function is supported only for numeric fields. |
|
|
Minimum Note: This function is supported only for numeric fields. |
|
|
n-th value Note: This function is supported only for numeric fields. |
|
|
Sum Note: This function is supported only for numeric fields. |
|
|
Standard Deviation Note: This function is supported only for numeric fields. |
|
|
If Null Changes the value if the value is null. Note: This function is only for eventstats, geostats, stats and timestats (not after link). |
|
For examples of using this command in typical scenarios, see:
The following query returns the count of all logs grouped by severity, including those logs where the value of severity is null.
* | stats count by SeverityRunning the following query excludes the results from the aggregation if a field value is null.
* | stats count(Severity) by SeverityThe following query returns the count of fatal logs grouped by entity name and type.
Severity = fatal | stats count by Entity, 'Entity Type'The following query returns the total count of logs.
* | stats countThe following query returns the count of database logs grouped by entity name and severity.
'Entity Type' = 'Database Instance' | stats count by Entity, SeverityThe following query returns the values of severity grouped by entity name.
* | stats values(Severity) by Entity The following query returns the unique values of client host city grouped by entity type.
* | stats unique('Client Host City') by 'Entity Type' The following query returns the earliest values of the OS Process ID.
* | stats earliest('OS Process ID') The following query returns the latest values of the Error ID.
* | stats latest('Error ID') The following query creates an inlined timeseries sparkline. The default function is count
* | stats trend(avg(duration), 2min) by Entity The following query returns the standard deviation of the set of numbers of the specified field
* | stats stddev('Content Size') The following query returns the count of log records, and average content size grouped by severity:
* | stats count as 'Log Count', avg('Content Size') as 'Avg. Content Size' by Severity