eventstats command usage - Splunk Documentation

The following sections contain information to help you understand and use the eventstats command.Differences between eventstats and statsThe eventstats command is similar to the stats command. You can use both commands to generate aggregations like average, sum, and maximum. The differences between these commands are described in the following table: stats commandeventstats commandEvents are transformed into a table of aggregated search resultsAggregations are placed into a new field that is added to each of the events in your outputYou can only use the fields in your aggregated results in subsequent commands in the searchYou can use the fields in your events in subsequent commands in your search, because the events have not been transformedHow eventstats generates aggregationsThe eventstats command looks for events that contain the field that you want to use to generate the aggregation. The command creates a new field in every event and places the aggregation in that field. The aggreg...