Documentation > Splunk > Search Reference > stats

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

stats

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

stats

Synopsis

Provides statistics, grouped optionally by field.

Syntax

Simple: stats (stats-function(field) [as field])+ [by field-list]

Complete: stats [allnum=<bool>] [delim=<string>] <stats-agg-term> [<by-clause>]

Arguments

allnum
Datatype: <bool>
Description: If true, computes numerical statistics on each field if and only if all of the values of that field are numerical. (default is false.)
delim
Datatype: <string>
Description: Used to specify how the values in the list() or values() aggregation are delimited. (default is a single space.)
stats-agg-term
Syntax: <stats-func>( <evaled-field> | <wc-field> ) [AS <wc-field>]
Description: A statistical specifier optionally renamed to a new field name. The specifier can be by an aggregation function applied to a field or set of fields or an aggregation function applied to an arbitrary eval expression.
by-clause
Syntax: by <field-list>
Description: The name of one or more fields to group by.

Stats functions options

stats-function
avg() | c() | count() | dc() | distinct_count() | first() | last() | list() | max() | median() | min() | mode() | percint() | range() | stdev() | stdevp() | sum() | values() | var() | varp()
For a list of stats functions with descriptions and examples, see "Functions for stats, chart, and timechart".

Description

Calculate aggregate statistics over the dataset, similar to SQL aggregation. If called without a by-clause, one row is produced, which represents the aggregation over the entire incoming result set. If called with a by-clause, one row is produced for each distinct value of the by-clause.

Examples

Example 1: Search the access logs, and return the total number of hits from the top 100 values of "referer_domain". (The "top" command returns a count and percent value for each "referer_domain".)

sourcetype=access_combined | top limit=100 referer_domain | stats sum(count) AS total

Example 2: Return the average for each hour, of any unique field that ends with the string "lay" (for example, delay, xdelay, relay, etc).

... | stats avg(*lay) BY date_hour

Example 3: Remove duplicates of results with the same "host" value and return the total count of the remaining results.

... | stats dc(host)

Example 4: Example usage

sourcetype=access* | top limit=100 referer_domain | stats sum(count)

Example 5: Example usage

sourcetype=access* | stats avg(kbps) by host

See also

eventstats, rare, sistats, streamstats, top

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0/SearchReference/Stats"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!