Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

Statistical and charting functions

You can use the statistical and charting functions with the chart, stats, and timechart commands.

Support for related commands

The functions can also be used with related statistical and charting commands.

Command Supported related commands
chart
stats
timechart

Functions that you can use to create sparkline charts are noted in the documentation for each function. Sparkline is a function that applies to only the chart and stats commands, and allows you to call other functions. For more information, see Add sparklines to search results in the Search Manual.

How field values are processed

Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.

The following functions process the field values as literal string values, even though the values are numbers.

  • count
  • dc
  • earliest
  • estdc
  • estdc_error
  • first
  • latest
  • last
  • list
  • max
  • min
  • mode
  • values

For example, you use the distinct count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.

The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, values such as "1", "1.0", and "01" are processed the same numeric value.

Types of statistical and charting functions

Type of function Supported functions
Aggregate functions avg(X)

count(X)
distinct_count(X)
estdc(X)
estdc_error(X)
max(X)
mean(X)
median(X)
min(X)
mode(X)
percentile<X>(Y)
range(X)
stdev(X)
stdevp(X)
sumsq(X)
var(X)
varp(X)

Event order functions earliest(X)

first(X)
last(X)
latest(X)

Multivalue stats functions list(X)

values(X)

Time functions per_day(X)

per_hour(X)
per_minute(X)
per_second(X)

See also

Evaluation functions

stats, chart, timechart, eventstats, streamstats, geostats

Answers

Have questions? Visit Splunk Answers and search for a specific function or command.

PREVIOUS
Trig and Hyperbolic Functions
  NEXT
Aggregate functions

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters