stats

Use this command to provide summary statistics, optionally grouped by a field. The output for this query includes one field for each of the fields specified in the query, along with one field for each aggregation.

Syntax

Note

  • The limit for the export operation that involves stats command with BY clause is 10000 records.

  • While the eval command creates new fields by using existing fields and arbitrary expressions, the stats command calculates statistics based on existing fields.

stats <stats_function> (<field_name>) [as new_field_name] [, <stats_function> (<field_name>) [as new_field_name]]* [by <field_name> (, <field_name>)*]

Parameters

The following table lists the parameters used with this command, along with their descriptions.

Parameter Description

field_name

Use this parameter to specify the field according to which you want the results to be grouped.

Functions

The following table lists the functions available with this command, along with their examples.

Function Examples

Average

Note: This function is supported only for numeric fields.

avg(field_name)

  • avg(‘Content Size’)

Count

Note: count returns the count for all rows. count(field_name) returns the count for all rows where field is not null.

stats count

stats count(field_name)

  • stats count(Source)

Values

values(field_name)

  • values(Label)

  • values(Severity)

  • values(‘Client Host City’)

  • values(‘Client Host Country’)

  • values(‘Client Host Continent’)

Unique

unique(field_name)

  • unique(Label)

  • unique(Severity)

  • unique(‘Client Host City’)

  • unique(‘Client Host Country’)

  • unique(‘Client Host Continent’)

Earliest

earliest(field_name)

  • earliest(‘OS Process ID’)

Latest

latest(field_name)

  • latest(‘Error ID’)

Trend

trend(duration)

  • trend

  • trend(1hr)

Distinct Count

distinctcount(field_name)

  • distinctcount(Severity)

Maximum

Note: This function is supported only for numeric fields.

max(field_name)

  • max('Content Size')

Median

Note: This function is supported only for numeric fields.

median(field_name)

  • median('Content Size')

Minimum

Note: This function is supported only for numeric fields.

min(field_name)

  • min('Content Size')

n-th value

Note: This function is supported only for numeric fields.

pct(field_name, n)

  • pct('Content Size', 90)

Sum

Note: This function is supported only for numeric fields.

sum(field_name)

  • sum(‘Content Size’)

Standard Deviation

Note: This function is supported only for numeric fields.

stddev(field_name)

  • stddev(‘Content Size’)

If Null

Changes the value if the value is null.

Note: This function is only for eventstats, geostats, stats and timestats (not after link).

ifnull(stats_function(field_name), return value)

  • stats ifnull(avg('Content Size)', 0)

  • stats ifnull(latest(message), none)

The following query returns the count of all logs grouped by severity, including those logs where the value of severity is null.

* | stats count by Severity

Running the following query excludes the results from the aggregation if a field value is null.

* | stats count(Severity) by Severity

The following query returns the count of fatal logs grouped by entity name and type.

Severity = fatal | stats count by Entity, 'Entity Type'

The following query returns the total count of logs.

* | stats count

The following query returns the count of database logs grouped by entity name and severity.

'Entity Type' = 'Database Instance' | stats count by Entity, Severity

The following query returns the values of severity grouped by entity name.

* | stats values(Severity) by Entity  

The following query returns the unique values of client host city grouped by entity type.

* | stats unique('Client Host City') by 'Entity Type' 

The following query returns the earliest values of the OS Process ID.

* | stats earliest('OS Process ID') 

The following query returns the latest values of the Error ID.

* | stats latest('Error ID') 

The following query creates an inlined timeseries sparkline. The default function is count

* | stats trend(avg(duration), 2min) by Entity 

The following query returns the standard deviation of the set of numbers of the specified field

* | stats stddev('Content Size') 

The following query returns the count of log records, and average content size grouped by severity:

* | stats count as 'Log Count', avg('Content Size') as 'Avg. Content Size' by Severity