Functions for stats, chart, and timechart

Functions for stats, chart, and timechart

These are statistical functions that you can use with the chart, stats, and timechart commands.

Note: Functions that are relevant for stats are also relevant for eventstats and streamstats.

Note: Functions that are relevant for chart, stats, and timechart are also relevant for their respective summary indexing counterparts: sichart, sistats, and sitimechart.

Function	Description	Command(s)	Example(s)
avg(X)	This function returns the average of the values of field X. See also, mean(X).	chart, stats, and timechart	This examples returns the average response time: avg(responseTime)
c(X) | count(X)	This function returns the number of occurrences of the field X. To indicate a specific field value to match, format X as eval(field="value").	chart, stats, and timechart	This example returns the count of events where status has the value "404": count(eval(status=404))
dc(X) | distinct_count(X)	This function returns the count of distinct values of the field X.	chart, stats, and timechart
first(X)	This function returns the first seen value of the field X. In general, the first seen value of the field is the chronologically most recent instace of this field.	chart, stats, and timechart
last(X)	This function returns the last seen value of the field X.	chart, stats, and timechart
list(X)	This function returns the list of all values of the field X as a multi-value entry. The order of the values reflects the order of input events.	chart, stats, and timechart
max(X)	This function returns the maximum value of the field X. If the values of X are non-numeric, the max is found from lexicographic ordering.	chart, stats, and timechart	This example returns the maximum value of "size": max(size)
mean(X)	This function returns the arithmetic mean of the field X. See also, avg(X).	chart, stats, and timechart	This example returns the mean of "kbps" values: mean(kbps)
median(X)	This function returns the middle-most value of the field X.	chart, stats, and timechart
min(X)	This function returns the minimum value of the field X. If the values of X are non-numeric, the min is found from lexicographic ordering.	chart, stats, and timechart
mode(X)	This function returns the most frequent value of the field X.	chart, stats, and timechart
p<X>(Y) | perc<X>(Y)	This function returns the X-th percentile value of the field Y.	chart, stats, and timechart	This example returns the 5th percentile value of a field "total": perc5(total)
per_day(X)	This function returns the values of field X per day.	timechart	This example returns the values of "total" per day. per_day(total)
per_hour(X)	This function returns the values of field X per hour.	timechart	This example returns the values of "total" per hour. per_hour(total)
per_minute(X)	This function returns the values of field X per minute.	timechart	This example returns the values of "total" per minute. per_minute(total)
per_second(X)	This function returns the values of field X per second.	timechart	This example returns values of "kb" per second: per_second(kb)
range(X)	This function returns the difference between the max and min values of the field X ONLY IF the value of X are numeric.	chart, stats, and timechart
stdev(X)	This function returns the {sample, population} standard deviation of the field X.	chart, stats, and timechart	This example returns the standard deviation of wildcarded fields "*delay" which can apply to both, "delay" and "xdelay". stdev(*delay)
sum(X)	This function returns the sum of the values of the field X.	chart, stats, and timechart	sum({date_hour * date_minute})
values(X)	This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical.	chart, stats, and timechart
var(X)	This function returns the {sample, population} variance of the field X.	chart, stats, and timechart

• Was this topic useful?
• Post a comment