Splunk® Cloud Services

SPL2 Search Reference

Overview of SPL2 stats and chart functions

Use statistical and charting functions to generate a calculation, such as an average or percentage, based on the fields in your events.

Quick reference

See the Quick Reference for SPL2 Stats and Charting Functions for a list of the supported statistical functions, along with a brief description and the syntax for each function.

Commands that use stats functions

You can use the statistical and charting functions with the stats, eventstats, streamstats, and timechart commands.

Using eval expressions in statistical and charting functions

In some of the examples for the statistical and charting functions you might see eval expressions.

Using an eval expression in a statistical or charting function is a shortcut for specifying an eval command that creates a field, followed by a stats command that references that field.

For example:

... | stats count(eval(status="404")) AS count_status BY sourcetype

Here's another example:

... | timechart eval(round(avg(cpu_seconds),2)) BY processor

When you use an eval expression with the timechart command, you must also use BY clause.


As a shortcut, you can use an eval <expression> in a statistical or charting function where you would normally use a <field>. One example of the eval <expression> syntax is:

... | stats func(eval(<expression>)) 

This eval <expression> syntax is equivalent to this command syntax:

... | eval temp_field = <expression> | stats func(temp_field)


This eval <expression> syntax is equivalent to this command syntax:

... | eval temp_field = <expression> | stats func(temp_field)

Using functions

  • All functions that accept strings can accept either a literal string or a field name. 
  • All functions that accept numbers can accept either literal numbers or any numeric field name.

Some field values are processed as string literals

Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.

The following functions process the field values as string literal values, even though the values are numbers.

  • count
  • distinct_count
  • earliest
  • estdc
  • estdc_error
  • first
  • latest
  • last
  • list
  • max
  • min
  • mode
  • values

For example, you use the distinct_count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.

The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, the values "1", "1.0", and "01" are processed as the same numeric value.

See also

Functions
Overview of SPL2 eval functions
Overview of SPL2 dataset_functions
Naming function arguments in the SPL2 Search Manual
Last modified on 16 May, 2023
Trig and Hyperbolic functions   Quick Reference for SPL2 Stats and Charting Functions

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters