fieldsummary command overview
The SPL2 fieldsummary command calculates summary statistics for one or more fields in your events.
The summary information is displayed as a results table.
Syntax
The required syntax is in bold.
- fieldsummary
- [maxvals=<unsigned_int>]
- [fields="["<wc-field-list>"]" ]
How the SPL2 fieldsummary command works
The SPL2 fieldsummary command calculates summary statistics, such as the count, maximum value, minimum value, mean, and standard deviation for the fields in your search results. These summary statistics are displayed in a table for each field in your results or for the fields you specify with the fieldsummary command.
For example, suppose you have the following visitor_log information:
| hour | visitor_count |
|---|---|
| 0800 | 0 |
| 0900 | 212 |
| 1000 | 367 |
| 1100 | 489 |
| 1200 | 624 |
| 1300 | 609 |
| 1400 | 492 |
| 1500 | 513 |
| 1600 | 367 |
| 1700 | 337 |
| 1800 | 104 |
To return summary statistics for all of the fields in your search results, add the fieldsummary command to the end of your search:
FROM visitor_log | fieldsummary
The result looks similar to this:
| field | count | distinct_ count |
is_ exact |
max | mean | min | numeric_ count |
stdev | values |
|---|---|---|---|---|---|---|---|---|---|
| hour | 11 | 11 | 0 | 1800 | 1300 | 800 | 11 | 331.6 | [{"value":"1000","count":1},{"value":"1100","count":1},{"value":"1200","count":1},{"value":"1300","count":1},{"value":"1400","count":1},{"value":"1500","count":1},{"value":"1600","count":1},{"value":"1700","count":1},{"value":"1800","count":1},{"value":"800","count":1}] |
| visitor_ count |
11 | 10 | 1 | 624 | 374 | 0 | 11 | 201.1 | [{"value":"367","count":2},{"value":"0","count":1},{"value":"104","count":1},{"value":"212","count":1},{"value":"337","count":1},{"value":"489","count":1},{"value":"492","count":1},{"value":"513","count":1},{"value":"609","count":1},{"value":"624","count":1}] |
Insights into the summary fields
The fieldsummary command returns 10 fields with summary information.
Looking at the results shown in the previous example, notice a few things about these results:
- values field
-
- The entries in the
valuesfield are organized bycountin descending order. You can see this clearly in thevisitor_countrow. The value "367" has a count of "2". All of the other values have a count of "1". Even though there are 11 values, only 10 are returned. This is because the default for themaxvalsargument is 10. - When the entries in the
valuesfield have the same count, the entries are organized byvaluein lexicographical order. You can see this clearly in thehoursrow. The values that start with 1, such as "1000" come before values that start with 8 or 9, such as "800". The value "900" is not returned because only the first 10 values are returned by default. For more information, see Lexicographical order in the SPL2 Search Manual.
- The entries in the
- distinct_count field
-
- This field shows the count of different values in a field in the search results. For the
hoursrow, there are 10 different values for the hours in the day. For thevisitor_countrow, there are 9 different values for the number of visitors. The value "367" appears for both the 1000 hour and the 1600 hour.
- This field shows the count of different values in a field in the search results. For the
- is_exact field
-
- This field specifies whether the count is an exact count or an approximate count of the distinct values in a field. The value "1" indicates that the count is exact. The value "0" indicates that the count is an approximate count. The
maxvalsargument controls whether the count is exact or approximate. In this search, themaxvalsargument is not specified so the default value for themaxvalsargument is used. The default value for themaxvalsargument is 10.
- This field specifies whether the count is an exact count or an approximate count of the distinct values in a field. The value "1" indicates that the count is exact. The value "0" indicates that the count is an approximate count. The
For more information about the fields returned from the fieldsummary command, see fieldsummary command usage.
Optional arguments
There are two optional arguments that you can use with the fieldsummary command, maxvals and fields.
You can use the maxvals argument to specify how many distinct values you want returned from the search. If not specified, a maximum of 10 values is returned.
You can use the fields argument to specify which fields you want summary information for. If not specified, summary information is returned for all of the fields in your search results.
See also
- fieldsummary command
- fieldsummary command syntax details
- fieldsummary command usage
- fieldsummary command examples
| fields command examples | fieldsummary command syntax details |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!