Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Overview of SPL2 stats and chart functions

Use statistical and charting functions to generate a calculation, such as an average or percentage, based on the fields in your events.

Quick reference

See the SPL2 Stats and Charting Functions Quick Reference for a list of the supported statistical functions, along with a brief description and the syntax for each function.

Commands that use stats functions

You can use the statistical and charting functions with the stats, eventstats, streamstats, and timechart commands.

Using eval expressions in statistical and charting functions

In some of the examples for the statistical and charting functions you might see eval expressions.

Using an eval expression in a statistical or charting function is a shortcut for specifying an eval command that creates a field, followed by a stats command that references that field.

For example:

... | stats count(eval(status="404")) AS count_status BY sourcetype

Here's another example:

... | timechart eval(round(avg(cpu_seconds),2)) BY processor

When you use an eval expression with the timechart command, you must also use BY clause.

As a shortcut, you can use an eval <expression> in a statistical or charting function where you would normally use a <field>. One example of the eval <expression> syntax is:

... | stats func(eval(<expression>)) 

This eval <expression> syntax is equivalent to this command syntax:

... | eval temp_field = <expression> | stats func(temp_field)

This eval <expression> syntax is equivalent to this command syntax:

... | eval temp_field = <expression> | stats func(temp_field)

Using functions

  • All functions that accept strings can accept either a literal string or a field name. 
  • All functions that accept numbers can accept either literal numbers or any numeric field name.

Some field values are processed as string literals

Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.

The following functions process the field values as string literal values, even though the values are numbers.

  • count
  • distinct_count
  • earliest
  • estdc
  • estdc_error
  • first
  • latest
  • last
  • list
  • max
  • min
  • mode
  • values

For example, you use the distinct_count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.

The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, the values "1", "1.0", and "01" are processed as the same numeric value.

Naming function arguments

When you use a function, you can include the names the argument in your search. Naming arguments is optional.

Naming argument is useful to identify the arguments, especially when the function includes optional arguments or arguments that are both the same data type. Naming arguments makes it clear which value applies to each argument.

For example, the syntax for the perc function is perc(value, percentile).

An example of using this function is this:

...| stats perc(age, 95)

This estimates the 95th percentile of the values in the age field.

To name the arguments, you would specify this:

... | stats perc(value: age, percentile: 95)

  • Argument names are separated from argument values by a colon ( : ).
  • If an argument can accept a list of values, you must enclose the list in square brackets ( [ ] ).
  • Named arguments can appear in any order.
  • You can choose to name only some of the arguments. However, named arguments must appear after unnamed arguments.

The following table shows valid and invalid named argument syntax for the perc and dataset functions:

Valid syntax Invalid syntax
Unnamed arguments

... | stats perc(age, 95)

Named arguments

... | stats perc(value: age, percentile: 95)

Name arguments in any order

... | stats perc(percentile: 95, value: age)

Not all arguments need to be named, but named arguments must follow unnamed arguments

... | stats perc(age, percentile: 95)

Named arguments cannot come before unnamed arguments

... | stats perc(value: age, 95)

Multiple values for an argument in square brackets

...| stats dataset(fields: [ID, name])

See also

Overview of SPL2 eval functions
Overview of SPL2 dataset_functions
Last modified on 22 June, 2021
Trig and Hyperbolic functions
SPL2 Stats and Charting Functions Quick Reference

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters