 Download topic as PDF

# Statistical eval functions

The following list contains the evaluation functions that you can use to calculate statistics.

For information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions.

In addition to these functions, there is a comprehensive set of Stats and charting functions Quick Reference that you can use with the `stats`, `timechart`, and related commands.

## max(<values>)

This function takes one or more numeric or string values and returns the maximum value. Strings are greater than numbers.

### Usage

You can use this function with the `eval` and ` where` commands, in the WHERE clause of the `from` command, and as part of evaluation expressions with other commands.

To use named arguments, you must specify the list of values in an array, enclosing the values in square brackets. The syntax for named arguments is `max(values: [<value>, <value>, ...]`. For example:

`...max(values:[1, 3, 6, 7, "foo", myfield])`

### Basic examples

The following example returns either `"foo"` or the value in the `name` field. Splunk searches use lexicographical order, where numbers are sorted before letters. If the value in the `name` field is `"baz"`, then `"foo"` is returned. If the value in the `name` field is `"zaz"`, then `"zaz"` is returned.

`... | eval n=max(1, 3, 6, 7, "foo", name)`

This example returns the maximum value in a multivalue field.

The following search creates a field called `n` with a single value, which is a series of numbers. The `makemv` command is used to make the single value into multiple values, each of which appears on it's own row in the results. Another new field called `maxn` is created which takes the values in `n` and returns the maximum value, `6`.

```| makeresults | eval n = "1 3 5 6 4 2" | makemv n | eval maxn = max(n)```

The results look like this:

_time maxn n
2021-01-29 10:42:37 6 1

3
5
6
4
2

## min(<values>)

This function one or more numeric or string values and returns the minimum value. Strings are greater than numbers.

### Usage

You can use this function with the `eval` and ` where` commands, in the WHERE clause of the `from` command, and as part of evaluation expressions with other commands.

To use named arguments, you must specify the list of values in an array, enclosing the values in square brackets. The syntax for named arguments is `min(values: [<value>, <value>, ...]`. For example:

`...min(values:[3, 6, 7, "foo", myfield])`

### Basic examples

The following example returns either `3` or the value in the `size` field. Splunk searches use lexicographical order, where numbers are sorted before letters. If the value in the `size` field is `9`, then `3` is returned. If the value in the `size` field is `1`, then `1` is returned.

`... | eval n=min(3, 6, 7, "maria", size)`

The following example returns the minimum value in a multivalue field.

This search creates a field called `n` with a single value, which is a series of numbers. The `makemv` command is used to make the single value into multiple values, each of which appears on it's own row in the results. Another new field called `minn` is created which takes the values in `n` and returns the minimum value, `2`.

```| makeresults | eval n = "3 5 6 4 7 2" | makemv n | eval minn = min(n)```

The results look like this:

_time minn n
2021-01-29 10:42:37 2 3

5
6
4
7
2

## random()

This function returns a pseudo-random integer ranging from 0 to 231-1.

### Usage

You can use this function with the `eval` and ` where` commands, in the WHERE clause of the `from` command, and as part of evaluation expressions with other commands.

### Basic examples

The following example returns a random integer, such as `0...2147483647`.

`... | eval n=random()`

The following example returns a random number within a specified range. In this example the random number is between 1 and 100,000.

`| eval n=(random() % 100000) + 1`

This example takes a random number and uses the modulo mathematical operator ( % ) to divide the random number by 100000. This ensures that the random number returned is not greater than 100000. The number remaining after the division is increased by 1 to ensure that the number is at least greater than or equal to 1.

Functions
SPL2 eval functions Quick Reference
Overview of SPL2 eval functions