eventstats

It's a pretty popular search command and it is used in all sorts of situations. Below are some really cool searches that use eventstats along with other search commands.

cumulative distribution function

| stats count by X
| eventstats sum(count) as totalĀ 
| eval probXi=count/total
| sort X
| streamstats sum(probXi) as CDF

purpose:

requirements:

comments:

props to Pierre Brunel

Simple Outlier Search

error |stats count by host| eventstats avg(count) as avg stdevp(count) as stdevp | eval ub=avg+2*stdevp, lb=avg-2*stdevp, is_outlier=if(count<lb, 1, if(count>ub, 1, 0)) | where is_outlier=1

purpose:

Find outliers - hosts that have an error count which is greater than two standard deviations away from the mean.

requirements:

hosts with errors. alternatively, you can alter the search (before pipe) to source just about anything else that you'd like to analyze.

comments: