eventstats | Cribl Docs

The eventstats operator aggregates events and adds the results as new fields to the source events.eventstats is similar to summarize, but it enriches the input events instead of replacing them.By default, eventstats can aggregate up to 50,000 events at a time. You can change this limit with the MaxNoOfAggregatedEvents parameter.Syntax​Scope | eventstats [max_events=MaxNoOfAggregatedEvents] [[AggregatedField =] AggregationFunction [, ...]] [by [GroupField =] GroupingExpression [, ...]]Arguments​Scope: The events to aggregate and enrich.MaxNoOfAggregatedEvents: The maximum number of events to aggregate. After reaching this limit, aggregation stops, and all of the input events are enriched with the same, most recent aggregation results. Default: 50000.AggregatedField: Optional name for a field that contains an aggregation result. Defaults to a name derived from the corresponding AggregationFunction.GroupField: Optional name for a group field. Defaults to a name derived from the correspond...