eventstats

This command is experimental

Definition

eventstats creates a summary of aggregated columns and shows them in a separate column. The command’s results can be turned into a chart. The command is used together with aggregation commands.

Syntax

| eventstats [allnum=<boolean>] <aggregation> [<group-by-clause>]

Optional arguments

Examples

Use eventstats to add summary of statistics per column. The following example calculates all possible aggregations for all columns available.

%dpl
| makeresults count=10
| eval test = 5
| eventstats

Currently, eventstats doesn’t work without an aggregation command. See the issue on GitHub.

You can list several aggregations you want to calculate to the defined column. Use space or a comma to separate aggregations.

%dpl
| makeresults count=10
| eval test = 5
| eventstats count sum(test)
Screenshot of the previous code example’s result

Currently, separating aggregations with a comma doesn’t work. Use instead spaces. See the issue on GitHub.

allnum

Use allnum to determine if only numerical values should take into account. It takes a boolean value, and it’s set to false by default.

If allnum is set to true, only numerical values are calculated for the eventstats summary. For example, if you group aggregated results by a column, the result may be empty if a set of values for a grouping value has even one string or empty value.

If allnum is set to false, column values with other types than numerical values aren’t ignored.

Currently, allnum isn’t implemented.

Group by clause

Use BY to group eventstats aggregations by a column. The following example calculates the average for balance column and groups results by the operation column.

%dpl
index=crud earliest=-5y
| spath
| eventstats avg(balance) by operation

Grouping aggregations by a column doesn’t work correctly. See the issue on GitHub.

Further Reading