fieldsummary command usage
The fieldsummary command displays the summary information in a results table. The following information appears in the results table:
| Summary field name | Description |
|---|---|
field
|
The field name in the event. |
count
|
The number of events or results with that field. |
distinct_count
|
The number of unique values in the field. |
is_exact
|
Whether or not the count of the distinct field values is exact. If the number of distinct values of the field exceeds the maxvals value, then fieldsummary stops retaining all the distinct values and computes an approximate distinct count instead of an exact one. 1 means the distinct count is exact; 0 means the distinct count is not exact.
|
max
|
If the field is numeric, the maximum of its value. |
mean
|
If the field is numeric, the mean of its values. |
min
|
If the field is numeric, the minimum of its values. |
numeric_count
|
The count of numeric values in the field. The count doesn't include null values. |
stdev
|
If the field is numeric, the standard deviation of its values. |
values
|
The distinct values of the field and count of each value. The values are sorted first by highest count and then by distinct value, in ascending order. |
Differences between SPL and SPL2
Default maximum values returned has changed
The default number of distinct values returned for a field is different in SPL2:
| Version | Value |
|---|---|
| SPL | 100 |
| SPL2 | 10 |
Field argument syntax is different
The field argument in SPL2 has a different syntax than in SPL:
| Version | Syntax | Example |
|---|---|---|
| SPL | wc-field-list
|
|
| SPL2 | field=[<field-list>]
|
|
See also
Last modified on 19 December, 2022
| fieldsummary command syntax details | fieldsummary command examples |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!