Aggregation
The following are scalar functions that you can use in the stats and aggregate with trigger streaming functions to perform calculations over data in a given time-window.
average(X)
Calculates the average (mean) of values in a time window.
- Function Input
- value: T
- Function Output
- double
SPL2 example
The following example returns the average (mean) "size" for each distinct "host".
...| stats average(size) BY host, span(timestamp, 50s, 10s) |...;
count(X)
Returns the number of non-null values in a time window.
- Function Input
- value: any
- Function Output
- long
SPL2 example
Returns the count of the "status_code" field.
...| stats count(status_code) by status_code, span(window_start, 5000ms, 1000ms, 1000ms) |...;
max(X)
Returns the maximum value in a time window.
- Function Input
- value: number
- Function Output
- number
SPL2 example
Returns the maximum value of the "time_taken" field.
...| stats max(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
mean(X)
Calculates the average (mean) of values in a time window.
- Function Input
- value: number
- Function Output
- double
SPL2 example
Returns the average value of the "time_taken" field.
...| stats mean(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
min(X)
Returns the minimum value in a time window.
- Function Input
- value: number
- Function Output
- number
SPL2 example
Returns the minimum value of the "time_taken" field.
...| stats min(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
sum(X)
Returns the sum of values in a time window.
- Function Input
- value: number
- Function Output
- number
SPL2 example
Returns the sum of the "time_taken" field.
...| stats sum(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
| Overview of stats scalar functions |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Download manual
Feedback submitted, thanks!