What's the DNIF equivalent of Splunk eventstats?


#1

Is there a way to achieve aggregations with different split by conditions without losing fields. In Splunk you would do this with eventstats.

For example, if I want to find a peak rate of requests/minute of X, but want to find the requests over 97th percentile of peak over the whole time range, I would need the following two:

  1. To get the peak request rate I would need something like

| timeslice 1m
| count as Count by _timeslice, count
| max(Count) as Peak by count

next calculate percentage value greater than 97…

In Splunk you would use eventstats to do this. How can this be achieved here?


#2

Hi @Loraine,
I would suggest you can use the "agg directive, here is the documentation for the same: Using _agg directive , also the equivalent of “eventstats” in DNIF is countunique