 Download topic as PDF

# Quick Reference for SPL2 Stats and Charting Functions

There are two ways to find information about the supported statistical and charting functions:

## Function list by category

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the Type of function column for more details and examples.

Type of function Supported functions and syntax Description
Aggregate functions `avg(<value>)` Returns the average of the values in a field.
`count(<value>)` Returns the number of occurrences in a field.
`distinct_count(<value>)` Returns a count of the distinct values in a field.
`estdc(<value>)` Returns an estimated count of the distinct values in a field.
`estdc_error(<value>)` Returns the theoretical error of the estimated count of the distinct values in a field.
`max(<value>)` Returns the maximum value in a field.
`mean(<value>)` Returns the arithmetic mean of the values in a field.
`median(<value>)` Returns the middle-most value in a field.
`min(<value>)` Returns the minimum value in a field.
`mode(<value>)` Returns the most frequent value in a field.
`perc(<value>,<percentile>)` Returns the nth percentile of the values in a numeric field. There are three percentile functions: `exactperc`, `perc`, and `upperperc()`.
`range(<value>)` Returns the difference between the maximum and minimum values in a field.
`stdev(<value>)` Returns the sample standard deviation of the values in a field.
`stdevp(<value>)` Returns the population standard deviation of the values in a field.
`sum(<value>)` Returns the sum of the values in a field.
`sumsq(<value>)` Returns the sum of the squares of the values in a field.
`var(<value>)` Returns the sample variance of the values in a field.
`varp(<value>)` Returns the population variance of the values in a field.
Event order functions `first(<value>)` Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the `stats` command.
`last(<value>)` Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the `stats` command.
Multivalue and array functions `dataset()` Aggregates events into arrays of SPL2 field-value objects.
`list(<value>)` Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events.
`pivot(<key>,<value>)` Aggregates the values in a field and returns the results as an object.
`values(<value>)` Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical.
Time functions `earliest(<value>)` Returns the chronologically earliest seen occurrence of a value in a field.
`earliest_time(<value>)` Returns the UNIX time of the earliest occurrence of a value in a field.
`latest(<value>)` Returns the chronologically latest seen occurrence of a value in a field.
`latest_time(<value>)` Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with `earliest`, `earliest_time`, and `latest` to calculate the rate of increase for an accumulating counter.
`per_day(<value>)` Returns the values in a field or eval expression for each day.
`per_hour(<value>)` Returns the values in a field or eval expression for each hour.
`per_minute(<value>)` Returns the values in a field or eval expression for each minute.
`per_second(<value>)` Returns the values in a field or eval expression for each second.
`rate(<value>)` Returns the per-second rate change of the value of the field. Represents `(latest - earliest) / (latest_time - earliest_time)` Requires the `earliest` and `latest` values of the field to be numerical, and the `earliest_time` and `latest_time` values to be different.
`span(<time>,<span-length>)` Groups search results by the timespan you specify.
`sparkline(<aggregate-function>(<value>),<span-length>)` Produces time-based trendline charts in the search results.

## Alphabetical list of functions

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links for more details and examples.

Supported functions and syntax Description Type of function
`avg(<value>)` Returns the average of the values in a field. Aggregate functions
`count(<value>)` Returns the number of occurrences in a field. Aggregate functions
`dataset()` Aggregates events into arrays of SPL2 field-value objects. Multivalue and array functions
`distinct_count(<value>)` Returns a count of the distinct values in a field. Aggregate functions
`earliest(<value>)` Returns the chronologically earliest seen occurrence of a value in a field. Time functions
`earliest_time(<value>)` Returns the UNIX time of the earliest occurrence of a value of the field. Time functions
`estdc(<value>)` Returns an estimated count of the distinct values in a field. Aggregate functions
`estdc_error(<value>)` Returns the theoretical error of the estimated count of the distinct values in a field. Aggregate functions
`first(<value>)` Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the `stats` command. Event order functions
`last(<value)` Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the `stats` command. Event order functions
`latest(<value>)` Returns the chronologically latest seen occurrence of a value in a field. Time functions
`latest_time(<value>)` Returns the UNIX time of the latest occurrence of a value in a field. Time functions
`list(<value>)` Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events. Multivalue and array functions
`max(<value>)` Returns the maximum value in a field. Aggregate functions
`mean(<value>)` Returns the arithmetic mean of the values in a field. Aggregate functions
`median(<value>)` Returns the middle-most value in a field. Aggregate functions
`min(<value>)` Returns the minimum value in a field. Aggregate functions
`mode(<value>)` Returns the most frequent value in a field. Aggregate functions
`percentile(<value>,<percentile>)` Returns the nth percentile of the values in a numeric field. There are three percentile functions: `exactperc`, `percentile`, and `upperperc()`. Aggregate functions
`per_day(<value>)` Returns the values in a field or eval expression for each day. Time functions
`per_hour(<value>)` Returns the values in a field or eval expression for each hour. Time functions
`per_minute(<value>)` Returns the values in a field or eval expression for each minute. Time functions
`per_second(<value>)` Returns the values in a field or eval expression for each second. Time functions
`pivot(<key>,<value>)` Aggregates the values in a field and returns the results as an object. Multivalue and array functions
`range(<value>)` Returns the difference between the maximum and minimum values in a field. Aggregate functions
`rate(<value>)` Returns the per-second rate change of the value of the field. Represents `(latest - earliest) / (latest_time - earliest_time)` Requires the `earliest` and `latest` values of the field to be numerical, and the `earliest_time` and `latest_time` values to be different. Time functions
`span(<time>,<span-length>)` Groups search results by the timespan you specify. Time functions
`sparkline(<aggregate-function>(<value>),<span-length>)` Produces time-based trendline charts in the search results. Time functions
`stdev(<value>)` Returns the sample standard deviation of the values in a field. Aggregate functions
`stdevp(<value>)` Returns the population standard deviation of the values in a field. Aggregate functions
`sum(<value>)` Returns the sum of the values in a field. Aggregate functions
`sumsq(<value>)` Returns the sum of the squares of the values in a field. Aggregate functions
`var(<value>)` Returns the sample variance of the values in a field. Aggregate functions
`varp(<value>)` Returns the population variance of the values in a field. Aggregate functions
`values(<value>)` Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical. Multivalue and array functions