In most of the complex queries written in splunk stats, eventstats and streamstats commands are widely used. This commands are helpful in calculations like count, max, average, etc.

What is stats?
Stats calculates aggregate statistics over the results set, such as average, count, and sum. This is similar to SQL aggregation. If stats is used without a by clause only one row is returned, which is the aggregation over the entire incoming result set. If you use a by clause one row is returned for each distinct value specified in the BY clause.

What is eventstats?
Eventstats generates summary statistics of all existing fields in your search results and saves those statistics in to new fields. The eventstats command is similar to the stats command. The difference is that with the eventstats command aggregation results are added inline to each event and added only if the aggregation is pertinent to that event.

What is streamstats?
Streamstats adds cumulative summary statistics to all search results in a streaming manner. The streamstats command calculates statistics for each event at the time the event is seen. For example, you can calculate the running total for a particular field. The total is calculated by using the values in the specified field for every event that has been processed, up to the current event.

Let’s take an example to understand this better.

To begin, do a simple search of the web logs in Splunk and look at 10 events and the associated byte count related to ip addresses in the field clientip.

The stats command calculates statistics based on fields in your events.

Steps :
1. Search for the top 10 events from the web log.
    sourcetype=access_combined* | head 10
2. Compute the sum of the bytes for each clientip.
    sourcetype=access_combined* | head 10 | stats sum(bytes) as ATotalBytes by clientip

What About original field name (bytes) ?

3. Use Table to See original filed name (bytes)
    sourcetype=access_combined* | head 10 | stats sum(bytes) as ATotalBytes by clientip | table
    bytes, ATotalBytes, clientip

Notice that the bytes column is empty above, because once the table is created by the stats command, Splunk now knows nothing about the original bytes field.
This is where eventstats can be helpful.

If we want to retain the original field as well , use eventstats command. This command doesn’t touch raw data.

Steps :
1. Use eventstats instead of stats command
   sourcetype=access_combined* | head 10 | eventstats sum(bytes) as ATotalBytes by clientip|
   table bytes ATotalBytes  clientip  

2. Use table command to see clientip, bytes and AtotalBytes
    sourcetype=access_combined* | head 10 | eventstats sum(bytes) as ATotalBytes  by clientip |
    table bytes ATotalBytes clientip

We can see that the original bytes field is retained.

If we want to see results  in streaming manner, use streamstats command.

Steps :
1. Use steamstats instead of eventstats  command.
    sourcetype=access_combined* | head 10 | sort _time | streamstats  sum(bytes) as ATotalBytes 

2. Use table command to see clientip, bytes and AtotalBytes.
    sourcetype=access_combined* | head 10 |sort _time | streamstats  sum(bytes) as ATotalBytes  |
    table _time bytes ATotalBytes clientip

If you are still facing issue regarding splunk stats eventstats and streamstats commands Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉