eventstats command overview - Splunk Documentation

The SPL2 eventstats command generates summary statistics from fields in your events and saves those statistics into a new field. The eventstats command places the generated statistics in new field that is added to the original raw events. SyntaxThe required syntax is in bold.eventstats[allnum=]... []How the SPL2 eventstats command worksIt's much easier to see what the SPL2 eventstats command does by showing you examples, using a set of simple events. These examples use the from command to create a set of events. The streamstats and eval commands are used to create additional fields in the events.Creating a set of eventsLet's start by creating a set of four events by using a dataset literal. | from [{"age":25, "city": "San Francisco"}, {"age": 39, "city": "Seattle"}, {"age":31, "city": "San Francisco"}, {"city": "Seattle"}]| eval _time = now() | streamstats count()The from command is used to create four results, which contain the timestamp when the resul...