https://community.splunk.com/t5/Splunk-Search/Why-use-eventstats-and-stats-together/m-p/546588#M154955 <P>eventstats adds fields to the events and preserves the existing fields</P><P>stats replaces the events with calculated fields</P><P>For example, let's say you wanted to chart percentage of events from each host per day</P><P>&nbsp;</P><LI-CODE lang="markup"> ... | bin span=1d _time | stats count BY _time host | eventstats sum(count) as total by _time | eval percent = count / total | chart values(percent) by _time host</LI-CODE><P>&nbsp;</P><P>stats does the counting by time and host</P><P>eventstats calculates the daily total</P><P>eval calculates the daily percentage for each host</P> Sat, 03 Apr 2021 08:00:11 GMT ITWhisperer 2021-04-03T08:00:11Z https://community.splunk.com/t5/Splunk-Search/Why-use-eventstats-and-stats-together/m-p/546587#M154954 <P>Hello,</P><P>I have seen eventstats and stats used together, but I’m not clear on why and when the use of the mentioned would need to be used.</P><P>can you explain why use eventstats and stats together and provide an example?</P> Sat, 03 Apr 2021 06:31:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-use-eventstats-and-stats-together/m-p/546587#M154954 luna 2021-04-03T06:31:06Z https://community.splunk.com/t5/Splunk-Search/Why-use-eventstats-and-stats-together/m-p/546588#M154955 <P>eventstats adds fields to the events and preserves the existing fields</P><P>stats replaces the events with calculated fields</P><P>For example, let's say you wanted to chart percentage of events from each host per day</P><P>&nbsp;</P><LI-CODE lang="markup"> ... | bin span=1d _time | stats count BY _time host | eventstats sum(count) as total by _time | eval percent = count / total | chart values(percent) by _time host</LI-CODE><P>&nbsp;</P><P>stats does the counting by time and host</P><P>eventstats calculates the daily total</P><P>eval calculates the daily percentage for each host</P> Sat, 03 Apr 2021 08:00:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-use-eventstats-and-stats-together/m-p/546588#M154955 ITWhisperer 2021-04-03T08:00:11Z https://community.splunk.com/t5/Splunk-Search/Why-use-eventstats-and-stats-together/m-p/546625#M154960 <P>In a similar vein to&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>'s answer, I sometimes combine them for filtering, although this example is contrived:</P><P>| stats count by foo<BR />| eventstats max(count) as mode<BR />| where count==mode</P> Sun, 04 Apr 2021 14:56:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-use-eventstats-and-stats-together/m-p/546625#M154960 tscroggins 2021-04-04T14:56:17Z