Statistical and charting functions
You can use the statistical functions with the
chart
,
stats
, and
timechart
commands.
 Functions that you use with the
stats
command, can be used with theeventstats
,streamstats
, andgeostats
commands. You can also use many of these functions with thetstats
command.  Functions that you use with the
chart
,stats
, andtimechart
commands can also be used with their respective summary indexing counterparts:sichart
,sistats
, andsitimechart
.  Functions that you can use to create sparkline charts are noted in the tables below. Sparkline is not a search command, it is a function that applies to only the
chart
andstats
command and allows you to call other functions. For more information, see Add sparklines to search results in the Search Manual.
String and numeric field values
Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any nonnumeric values are ignored.
Some functions process the field values as literal string values, even though the values are numbers.




For example, you use the distinct count
function and the field contains values such as “1”, “1.0”, and “01”. Each value is considered a distinct string value.
The only exceptions are the max
and min
functions. These functions process values as numbers if possible. For example, values such as “1”, “1.0”, and “01” are processed the same numeric value.
Types of functions
There are several types of statistical and charting functions:
Aggregate functions
Most aggregate functions are used with numeric fields. However, there are some functions that you can use with either alphabetic string fields or numeric fields. The function descriptions indicate which functions you can use with alphabetic strings.
Function  Description  Commands  Examples 

avg(X)

Returns the average of the values of field X. See also, mean(X).  chart , stats , timechart , sparkline()

This examples returns the average response time:

c(X)  count(X)

Returns the number of occurrences of the field X. To indicate a specific field value to match, format X as eval(field="value").

chart , stats , timechart , sparkline()

This example returns the count of events where status has the value "404":
These generate sparklines for the counts of events. The first looks at the

dc(X)  distinct_count(X)

Returns the count of distinct values of the field X.

chart , stats , timechart , sparkline()

This example generates sparklines for the distinct count of devices and renames the field, "numdevices":
This example counts the distinct sources for each sourcetype, and buckets the count for each five minute spans:

estdc(X)

Returns the estimated count of the distinct values of the field X.

chart , stats , timechart


estdc_error(X)

Returns the theoretical error of the estimated count of the distinct values of the field X. The error represents a ratio of abs(estimate_value  real_value)/real_value.

chart , stats , timechart


max(X)

Returns the maximum value of the field X. If the values of X are nonnumeric, the max is found using lexicographical ordering.

chart , stats , timechart , sparkline()

This example returns the maximum value of "size":

mean(X)

Returns the arithmetic mean of the field X. See also, avg(X).  chart , stats , timechart , sparkline()

This example returns the mean of "kbps" values:

median(X)

Returns the middlemost value of the field X.

chart , stats , timechart


min(X)

Returns the minimum value of the field X. If the values of X are nonnumeric, the min is found from lexicographic ordering.

chart , stats , timechart


mode(X)

Returns the most frequent value of the field X.

chart , stats , timechart


p<X>(Y)  perc<X>(Y), upperperc<X>(Y), exactperc<X>(Y)

Returns the Xth percentile value of the numeric field Y, where X is an integer between 1 and 99. The percentile Xth function sorts the values of Y in an increasing order. Then, if you consider that 0% is the lowest and 100% the highest, the functions picks the value that corresponds to the position of the X% value.

chart , stats , timechart

For the list of values Y = {10,9,8,7,6,5,4,3,2,1} :

range(X)

Returns the difference between the max and min values of the field X ONLY IF the value of X are numeric.  chart , stats , timechart , sparkline()


stdev(X)

Returns the sample standard deviation of the field X.  chart , stats , timechart , sparkline()

This example returns the standard deviation of wildcarded fields "*delay" which can apply to both, "delay" and "xdelay".

stdevp(X)

Returns the population standard deviation of the field X.  chart , stats , timechart , sparkline()


sum(X)

Returns the sum of the values of the field X.  chart , stats , timechart , sparkline()

sum(eval(date_hour * date_minute))

sumsq(X)

Returns the sum of the squares of the values of the field X.  chart , stats , timechart , sparkline()


var(X)

Returns the sample variance of the field X.  chart , stats , timechart , sparkline()


varp(X)

Returns the population variance of the field X.  chart , stats , timechart , sparkline()

Event order functions
These functions return events based on chronological or timestamp order.
Function  Description  Commands  Examples 

earliest(X)

Returns the chronologically earliest seen occurrence of a value of a field X.

chart , stats , timechart


first(X)

Returns the first seen value of the field X. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command.

chart , stats , timechart


last(X)

Returns the last seen value of the field X. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command.

chart , stats , timechart


latest(X)

Returns the chronologically latest seen occurrence of a value of a field X.

chart , stats , timechart

Multivalue functions
Function  Description  Commands  Examples 

list(X)

Returns a list of up to 100 values of the field X as a multivalue entry. The order of the values reflects the order of input events.
This function processes field values as strings. 
chart , stats , timechart


values(X)

Returns the list of all distinct values of the field X as a multivalue entry. The order of the values is lexicographical.
This function processes field values as strings. 
chart , stats , timechart

Time functions
Function  Description  Commands  Examples 

per_day(X)

Returns the values of field X per day.  timechart

This example returns the values of "total" per day.

per_hour(X)

Returns the values of field X per hour.  timechart

This example returns the values of "total" per hour.

per_minute(X)

Returns the values of field X per minute.  timechart

This example returns the values of "total" per minute.

per_second(X)

Returns the values of field X per second.  timechart

This example returns values of "kb" per second:

See also
Evaluation functions, stats, chart, timechart, eventstats, streamstats, geostats
Answers
Have questions? Visit Splunk Answers and search for a specific function or command.
PREVIOUS Functions for eval and where 
NEXT Date and time format variables 
This documentation applies to the following versions of Splunk^{®} Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1
Comments
Pclay
There are several functions that work with string values. This topic is now updated to reflect this information.
The percentile functions seem to work for noninteger X values as well (at least it works in 6.2).
For example p99.99(y) works.
One thought  it probably should specify for list() that it'll only keep track of at most 100 values value # 101 and beyond will get discarded.
Interestingly, for values() there is no such limit.
Observe difference between:
 makeresults count=10000  streamstats count as rowNumber  stats values(rowNumber) as numbers
and
 makeresults count=10000  streamstats count as rowNumber  stats list(rowNumber) as numbers