Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

fieldsummary

Description

The fieldsummary command calculates summary statistics for all fields or a subset of the fields in your events. The summary information is displayed as a results table.

Syntax

fieldsummary [maxvals=<num>] [<wc-field-list>]

Optional arguments

maxvals
Syntax: maxvals=<num>
Description: Specifies the maximum distinct values to return for each field.
Default: 100
wc-field-list
Description: A field or list of fields that can include wildcarded fields.

Usage

The fieldsummary command displays the summary information in a results table. The following information appears in the results table:

Field name Description
field The field name in the event.
count The number of events/results with that field.
distinct_count The number of unique values in the field.
is_exact Whether or not the field is exact. This is related to the distinct count of the field values. If the number of values of the field exceeds maxvals, then fieldsummary will stop retaining all the values and compute an approximate distinct count instead of an exact one. 1 means it is exact, 0 means it is not.
max If the field is numeric, the maximum of its value.
mean If the field is numeric, the mean of its values.
min If the field is numeric, the minimum of its values.
numeric_count The count of numeric values in the field. This would not include NULL values.
stdev If the field is numeric, the standard deviation of its values.
values The distinct values of the field and count of each value.

Examples

Example 1:

Return summaries for all fields from the _internal index for the last 15 minutes.

index=_internal earliest=-15m latest=now | fieldsummary


This image shows a table of results. The fields in the table are the fields that are described in the Usage section of this topic.

Example 2:

Returns summaries for fields in the _internal index with names that contain "size" and "count". The search returns only the top 10 values for each field from the last 15 minutes.

index=_internal earliest=-15m latest=now | fieldsummary maxvals=10 *size* *count*


This image shows a table of results. The fields in the table are the fields that are described in the Usage section of this topic.

See also

analyzefields, anomalies, anomalousvalue, stats


Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the fieldsummary command.

PREVIOUS
fields
  NEXT
filldown

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters