Splunk® Cloud Services

SPL2 Search Reference

Quick Reference for SPL2 Stats and Charting Functions

There are two ways to find information about the supported statistical and charting functions:

Function list by category

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the Type of function column for more details and examples.

Type of function Supported functions and syntax Description
Aggregate functions avg(<value>) Returns the average of the values in a field.
count(<value>) Returns the number of occurrences in a field.
distinct_count(<value>) Returns a count of the distinct values in a field.
estdc(<value>) Returns an estimated count of the distinct values in a field.
estdc_error(<value>) Returns the theoretical error of the estimated count of the distinct values in a field.
max(<value>) Returns the maximum value in a field.
mean(<value>) Returns the arithmetic mean of the values in a field.
median(<value>) Returns the middle-most value in a field.
min(<value>) Returns the minimum value in a field.
mode(<value>) Returns the most frequent value in a field.
perc(<value>,<percentile>) Returns the nth percentile of the values in a numeric field. There are three percentile functions: exactperc, perc, and upperperc().
range(<value>) Returns the difference between the maximum and minimum values in a field.
stdev(<value>) Returns the sample standard deviation of the values in a field.
stdevp(<value>) Returns the population standard deviation of the values in a field.
sum(<value>) Returns the sum of the values in a field.
sumsq(<value>) Returns the sum of the squares of the values in a field.
var(<value>) Returns the sample variance of the values in a field.
varp(<value>) Returns the population variance of the values in a field.
Event order functions first(<value>) Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the stats command.
last(<value>) Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the stats command.
Multivalue and array functions dataset() Aggregates events into arrays of SPL2 field-value objects.
list(<value>) Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events.
pivot(<key>,<value>) Aggregates the values in a field and returns the results as an object.
values(<value>) Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical.
Time functions earliest(<value>) Returns the chronologically earliest seen occurrence of a value in a field.
earliest_time(<value>) Returns the UNIX time of the earliest occurrence of a value in a field.
latest(<value>) Returns the chronologically latest seen occurrence of a value in a field.
latest_time(<value>) Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with earliest, earliest_time, and latest to calculate the rate of increase for an accumulating counter.
per_day(<value>) Returns the values in a field or eval expression for each day.
per_hour(<value>) Returns the values in a field or eval expression for each hour.
per_minute(<value>) Returns the values in a field or eval expression for each minute.
per_second(<value>) Returns the values in a field or eval expression for each second.
rate(<value>) Returns the per-second rate change of the value of the field. Represents (latest - earliest) / (latest_time - earliest_time) Requires the earliest and latest values of the field to be numerical, and the earliest_time and latest_time values to be different.
span(<time>,<span-length>) Groups search results by the timespan you specify.
sparkline(<aggregate-function>(<value>),<span-length>) Produces time-based trendline charts in the search results.

Alphabetical list of functions

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links for more details and examples.

Supported functions and syntax Description Type of function
avg(<value>) Returns the average of the values in a field. Aggregate functions
count(<value>) Returns the number of occurrences in a field. Aggregate functions
dataset() Aggregates events into arrays of SPL2 field-value objects. Multivalue and array functions
distinct_count(<value>) Returns a count of the distinct values in a field. Aggregate functions
earliest(<value>) Returns the chronologically earliest seen occurrence of a value in a field. Time functions
earliest_time(<value>) Returns the UNIX time of the earliest occurrence of a value of the field. Time functions
estdc(<value>) Returns an estimated count of the distinct values in a field. Aggregate functions
estdc_error(<value>) Returns the theoretical error of the estimated count of the distinct values in a field. Aggregate functions
first(<value>) Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the stats command. Event order functions
last(<value) Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the stats command. Event order functions
latest(<value>) Returns the chronologically latest seen occurrence of a value in a field. Time functions
latest_time(<value>) Returns the UNIX time of the latest occurrence of a value in a field. Time functions
list(<value>) Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events. Multivalue and array functions
max(<value>) Returns the maximum value in a field. Aggregate functions
mean(<value>) Returns the arithmetic mean of the values in a field. Aggregate functions
median(<value>) Returns the middle-most value in a field. Aggregate functions
min(<value>) Returns the minimum value in a field. Aggregate functions
mode(<value>) Returns the most frequent value in a field. Aggregate functions
percentile(<value>,<percentile>) Returns the nth percentile of the values in a numeric field. There are three percentile functions: exactperc, percentile, and upperperc(). Aggregate functions
per_day(<value>) Returns the values in a field or eval expression for each day. Time functions
per_hour(<value>) Returns the values in a field or eval expression for each hour. Time functions
per_minute(<value>) Returns the values in a field or eval expression for each minute. Time functions
per_second(<value>) Returns the values in a field or eval expression for each second. Time functions
pivot(<key>,<value>) Aggregates the values in a field and returns the results as an object. Multivalue and array functions
range(<value>) Returns the difference between the maximum and minimum values in a field. Aggregate functions
rate(<value>) Returns the per-second rate change of the value of the field. Represents (latest - earliest) / (latest_time - earliest_time) Requires the earliest and latest values of the field to be numerical, and the earliest_time and latest_time values to be different. Time functions
span(<time>,<span-length>) Groups search results by the timespan you specify. Time functions
sparkline(<aggregate-function>(<value>),<span-length>) Produces time-based trendline charts in the search results. Time functions
stdev(<value>) Returns the sample standard deviation of the values in a field. Aggregate functions
stdevp(<value>) Returns the population standard deviation of the values in a field. Aggregate functions
sum(<value>) Returns the sum of the values in a field. Aggregate functions
sumsq(<value>) Returns the sum of the squares of the values in a field. Aggregate functions
var(<value>) Returns the sample variance of the values in a field. Aggregate functions
varp(<value>) Returns the population variance of the values in a field. Aggregate functions
values(<value>) Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical. Multivalue and array functions

See also

Last modified on 17 May, 2023
Overview of SPL2 stats and chart functions   Aggregate functions

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters