The Nexus • Room 1

Eventstats

The **eventstats** command generates summary statistics and adds them as new fields to *every single raw event*, WITHOUT collapsing the rows.

Unlike `stats` (which destroys raw data to just show the summary table), `eventstats` lets you compare an individual row against the overall average.

Finding Above-Average Users

index=sales | eventstats avg(revenue) as overall_avg | where individual_revenue > overall_avg

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write an eventstats command calculating the sum(bytes) as "total_bytes".

Splunk Search Bar