# Aggregation

The following are scalar functions that you can use in the `stats`

and `aggregate with trigger`

streaming functions to perform calculations over data in a given time-window.

## average(value)

Calculates the average (mean) of values in a time window.

- Function Input
- value: T
- Function Output
- double

### SPL2 example

The following example returns the average (mean) "size" for each distinct "host".

...| stats average(size) BY host, span(timestamp, 50s, 10s) |...;

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| stats average(value: size) BY host, span(timestamp, 50s, 10s) |...;

## count(value)

Returns the number of non-null values in a time window.

- Function Input
- value: any
- Function Output
- long

### SPL2 example

Returns the count of the "status_code" field.

...| stats count(status_code) by status_code, span(window_start, 5000ms, 1000ms, 1000ms) |...;

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| stats count(value: status_code) by status_code, span(window_start, 5000ms, 1000ms, 1000ms) |...;

## etsdc(value)

Estimated Distinct Count (estdc) is a stats function that calculates an approximated distinct count value for any field. This function works with ~1.5% error bound.

- Function Input
- value: string
- Function Output
- long

### SPL2 example

... | stats estdc(input) by span(timestamp, 10ms);

## max(value)

Returns the maximum value in a time window.

- Function Input
- value: number
- Function Output
- number

### SPL2 example

Returns the maximum value of the "time_taken" field.

...| stats max(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| stats max(value: time_taken) by time_taken, span(timestamp, 50s, 10s) |...;

## mean(value)

Calculates the average (mean) of values in a time window.

- Function Input
- value: number
- Function Output
- double

### SPL2 example

Returns the average value of the "time_taken" field.

...| stats mean(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| stats mean(value: time_taken) by time_taken, span(timestamp, 50s, 10s) |...;

## min(value)

Returns the minimum value in a time window.

- Function Input
- value: number
- Function Output
- number

### SPL2 example

Returns the minimum value of the "time_taken" field.

...| stats min(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| stats min(value: time_taken) by time_taken, span(timestamp, 50s, 10s) |...;

## perc(value)

Percentiles (perc) is a stats function that computes the approximate q-th percentile value of a numeric field input field with ~1.5% error bound. The perc(input, 0.75) field in the resulting set should contain appropriate percentile value.

- Function Input
- value: number
- Function Output
- T

### SPL2 example

...| stats perc(input, 0.75) by span(timestamp, 10ms);

## sum(value)

Returns the sum of values in a time window.

- Function Input
- value: number
- Function Output
- number

### SPL2 example

Returns the sum of the "time_taken" field.

...| stats sum(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| stats sum(value: time_taken) by time_taken, span(timestamp, 50s, 10s) |...;

PREVIOUS Overview of stats scalar functions |

This documentation applies to the following versions of Splunk^{®} Data Stream Processor:
1.2.0

Feedback submitted, thanks!