Statistical and charting functions
Statistical and charting functions
These are statistical functions that you can use with the
chart
,
stats
, and
timechart
commands.
 Functions that are relevant for stats are also relevant for
eventstats
,streamstats
, andgeostats
.  Functions that are relevant for chart, stats, and timechart are also relevant for their respective summary indexing counterparts:
sichart
,sistats
, andsitimechart
.  Functions that are relevant for sparklines will say as much. Note that sparklines is not a search command, it is a function that applies only to
chart
andstats
and allows you to call other functions. For more information, read "Add sparklines to search results" in the Search Manual.
Function  Description  Commands  Examples 

avg(X)

Returns the average of the values of field X. See also, mean(X).  chart , stats , timechart , sparkline()

This examples returns the average response time:

c(X)  count(X)

Returns the number of occurrences of the field X. To indicate a specific field value to match, format X as eval(field="value").  chart , stats , timechart , sparkline()

This example returns the count of events where status has the value "404":
These generate sparklines for the counts of events. The first looks at the

dc(X)  distinct_count(X)

Returns the count of distinct values of the field X.  chart , stats , timechart , sparkline()

This example generates sparklines for the distinct count of devices and renames the field, "numdevices":
This example counts the distinct sources for each sourcetype, and buckets the count for each five minute spans:

earliest(X)

Returns the chronologically earliest seen occurrence of a value of a field X.  chart , stats , timechart


estdc(X)

Returns the estimated count of the distinct values of the field X.  chart , stats , timechart


estdc_error(X)

Returns the theoretical error of the estimated count of the distinct values of the field X. The error represents a ratio of abs(estimate_value  real_value)/real_value.  chart , stats , timechart


first(X)

Returns the first seen value of the field X. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command.  chart , stats , timechart


last(X)

Returns the last seen value of the field X. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command.  chart , stats , timechart


latest(X)

Returns the chronologically latest seen occurrence of a value of a field X.  chart , stats , timechart


list(X)

Returns the list of all values of the field X as a multivalue entry. The order of the values reflects the order of input events.  chart , stats , timechart


max(X)

Returns the maximum value of the field X. If the values of X are nonnumeric, the max is found from lexicographic ordering.  chart , stats , timechart , sparkline()

This example returns the maximum value of "size":

mean(X)

Returns the arithmetic mean of the field X. See also, avg(X).  chart , stats , timechart , sparkline()

This example returns the mean of "kbps" values:

median(X)

Returns the middlemost value of the field X.
Note: The median calculation is more correct for odd numbers of events. In cases where you have an even number of events, the median is approximated to be the higher of the two values. 
chart , stats , timechart


min(X)

Returns the minimum value of the field X. If the values of X are nonnumeric, the min is found from lexicographic ordering.  chart , stats , timechart


mode(X)

Returns the most frequent value of the field X.  chart , stats , timechart


p<X>(Y)  perc<X>(Y)  exactperc<X>(Y)  upperperc<X>(Y)

Returns the Xth percentile value of the numeric field Y, where X is an integer between 1 and 99. The percentile Xth function sorts the values of Y in an increasing order. Then, if you consider that 0% is the lowest and 100% the highest, the functions picks the value that corresponds to the position of the X% value.
The functions perc, p, and upperperc give approximate values for the integer percentile requested. The approximation algorithm used provides a strict bound of the actual value for any percentile. The functions perc and p return a single number that represents the lower end of that range while upperperc gives the approximate upper bound. exactperc provides the exact value, but will be very expensive for high cardinality fields. 
chart , stats , timechart

For the list of values Y = {10,9,8,7,6,5,4,3,2,1} :

per_day(X)

Returns the values of field X per day.  timechart

This example returns the values of "total" per day.

per_hour(X)

Returns the values of field X per hour.  timechart

This example returns the values of "total" per hour.

per_minute(X)

Returns the values of field X per minute.  timechart

This example returns the values of "total" per minute.

per_second(X)

Returns the values of field X per second.  timechart

This example returns values of "kb" per second:

range(X)

Returns the difference between the max and min values of the field X ONLY IF the value of X are numeric.  chart , stats , timechart , sparkline()


stdev(X)

Returns the sample standard deviation of the field X.  chart , stats , timechart , sparkline()

This example returns the standard deviation of wildcarded fields "*delay" which can apply to both, "delay" and "xdelay".

stdevp(X)

Returns the population standard deviation of the field X.  chart , stats , timechart , sparkline()


sum(X)

Returns the sum of the values of the field X.  chart , stats , timechart , sparkline()

sum(eval(date_hour * date_minute))

sumsq(X)

Returns the sum of the squares of the values of the field X.  chart , stats , timechart , sparkline()


values(X)

Returns the list of all distinct values of the field X as a multivalue entry. The order of the values is lexicographical.  chart , stats , timechart


var(X)

Returns the sample variance of the field X.  chart , stats , timechart , sparkline()


varp(X)

Returns the population variance of the field X.  chart , stats , timechart , sparkline()

See also
Evaluation functions, stats, chart, timechart, eventstats, streamstats, geostats
Answers
Have questions? Visit Splunk Answers and search for a specific function or command.
This documentation applies to the following versions of Splunk: 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.0.7 , 6.0.8 , 6.0.9 , 6.0.10 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.1.7 , 6.1.8 , 6.1.9 , 6.2.0 , 6.2.1 , 6.2.2 , 6.2.3 , 6.2.4 , 6.2.5 View the Article History for its revisions.
The percentile functions seem to work for noninteger X values as well (at least it works in 6.2).
For example p99.99(y) works.