Statistical eval functions
The following list contains the SPL2 evaluation functions that you can use to calculate statistics.
For information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions.
In addition to these functions, there is a comprehensive set of Quick Reference for SPL2 Stats and Charting Functions that you can use with the stats, timechart, and related commands.
max(<values>)
This function takes one or more numeric or string values and returns the maximum value. Strings are greater than numbers.
Usage
You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.
Basic examples
The following example returns either "foo" or the value in the name field. Splunk searches use lexicographical order, where numbers are sorted before letters. If the value in the name field is "baz", then "foo" is returned. If the value in the name field is "zaz", then "zaz" is returned.
... | eval n=max(1, 3, 6, 7, "foo", name)
This example returns the maximum value in a multivalue field.
The following search creates a field called n with a single value, which is a series of numbers. The makemv command is used to make the single value into multiple values, each of which appears on it's own row in the results. Another new field called maxn is created which takes the values in n and returns the maximum value, 6.
| makeresults | eval n = "1 3 5 6 4 2" | makemv n
| eval maxn = max(n)
The results look like this:
| _time | maxn | n |
|---|---|---|
| 2021-01-29 10:42:37 | 6 | 1 3 |
min(<values>)
This function one or more numeric or string values and returns the minimum value. Strings are greater than numbers.
Usage
You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.
Basic examples
The following example returns either 3 or the value in the size field. Splunk searches use lexicographical order, where numbers are sorted before letters. If the value in the size field is 9, then 3 is returned. If the value in the size field is 1, then 1 is returned.
... | eval n=min(3, 6, 7, "maria", size)
The following example returns the minimum value in a multivalue field.
This search creates a field called n with a single value, which is a series of numbers. The makemv command is used to make the single value into multiple values, each of which appears on it's own row in the results. Another new field called minn is created which takes the values in n and returns the minimum value, 2.
| makeresults | eval n = "3 5 6 4 7 2" | makemv n
| eval minn = min(n)
The results look like this:
| _time | minn | n |
|---|---|---|
| 2021-01-29 10:42:37 | 2 | 3 5 |
random()
This function returns a pseudo-random integer ranging from 0 to 231-1.
Usage
You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.
Basic examples
The following example returns a random integer, such as 0...2147483647.
... | eval n=random()
The following example returns a random number within a specified range. In this example the random number is between 1 and 100,000.
| eval n=(random() % 100000) + 1
This example takes a random number and uses the modulo mathematical operator ( % ) to divide the random number by 100000. This ensures that the random number returned is not greater than 100000. The number remaining after the division is increased by 1 to ensure that the number is at least greater than or equal to 1.
For more information about modulo operator, see :Overview of SPL2 eval functions.
See also
- Function information
- Quick Reference for SPL2 eval functions
- Overview of SPL2 eval functions
- Naming function arguments in the SPL2 Search Manual
| Multivalue eval functions | Text functions |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!