Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

fieldsummary command usage

The fieldsummary command displays the summary information in a results table. The following information appears in the results table:

Summary field name Description
field The field name in the event.
count The number of events or results with that field.
distinct_count The number of unique values in the field.
is_exact Whether or not the count of the distinct field values is exact. If the number of distinct values of the field exceeds the maxvals value, then fieldsummary stops retaining all the distinct values and computes an approximate distinct count instead of an exact one. 1 means the distinct count is exact; 0 means the distinct count is not exact.
max If the field is numeric, the maximum of its value.
mean If the field is numeric, the mean of its values.
min If the field is numeric, the minimum of its values.
numeric_count The count of numeric values in the field. The count doesn't include null values.
stdev If the field is numeric, the standard deviation of its values.
values The distinct values of the field and count of each value. The values are sorted first by highest count and then by distinct value, in ascending order.

Differences between SPL and SPL2

Default maximum values returned has changed

The default number of distinct values returned for a field is different in SPL2:

Version Value
SPL 100
SPL2 10

Field argument syntax is different

The field argument in SPL2 has a different syntax than in SPL:

Version Syntax Example
SPL wc-field-list

A single field name or a space-delimited list of field names.

| fieldsummary action pid quantity

SPL2 field=[<field-list>]

A single field name or a comma-delimited list of field names. The field names must be enclosed in square brackets [ ] .

| fieldsummary fields=[action, pid, quantity]

See also

fieldsummary command
fieldsummary command overview
fieldsummary command syntax details
fieldsummary command examples
Last modified on 19 December, 2022
fieldsummary command syntax details
fieldsummary command examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters