Forum Discussion
Splunk eventstats equivalent in kql?
is there an equivalent eventstats command in kql similar to splunk? If not, is there a way to achieve same result in kql?
eventstats command generates summary statistics from fields in your events and saves those statistics into a new field. The eventstats command places the generated statistics in new field that is added to the original raw events.
1 Reply
Hey Mike,
I believe what you may be looking for would be achieved through 'summarize' command.I'm not a splunk expert so bare with me but reading the documentation under https://docs.splunk.com/Documentation/Splunk/9.3.2/SearchReference/Eventstats appears to relate closest to 'summarize' in KQL speak.
if I try to marry it up theoretically to the Splunk example:
index=test sourcetype=testDb
| eventstats avg(duration) AS avgdur BY date_minute
could be created in KQL through:
Event
| summarize avgdur=avg(duration) by date_minute
| join kind=inner (Event) on date_minute
The easiest example and lowest barrier to entry for the summarize function for everyday Sentinel use would be something as simple as seeing SecurityIncidents by day:
SecurityIncident
| summarize count() by bin(TimeGenerated,1d), Title
Give it a go and let me know if this matches what you're looking for 😃
