What is the difference between stats and eventstats? [Intermediate]
Answer
stats transforms events into aggregate results, while eventstats computes aggregates and adds them back to each original event. Use stats when you only need the summary; use eventstats when you still need event-level detail plus the aggregate context.
Technical explanation
stats reduces the result set and removes fields not in the aggregation.
eventstats preserves original events and appends aggregate values such as average latency by service.
eventstats can be more expensive because it keeps many events in the pipeline.
Hands-on example
Example: index=prod_app service=checkout | eventstats avg(duration_ms) as avg_ms by endpoint | where duration_ms > 2*avg_ms. This keeps each slow event while comparing it to its endpoint's average. With stats alone, the raw events would be gone.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Observability interview questions
- What is observability, and how is it different from traditional monitoring? [Basic]
- What are the three pillars of observability (metrics, logs, traces)? [Basic]
- What is the difference between monitoring and observability in practice? [Basic]
- What are the four golden signals of monitoring? [Basic]
- What is the difference between the USE method and the RED method? [Basic]
- When would you use the USE method versus the RED method? [Basic]
- What is an SLI, an SLO, and an SLA, and how do they relate? [Basic]
- How do you choose good SLIs for a service? [Basic]