Quick Reference for SPL2 Stats and Charting Functions
There are two ways to find information about the supported statistical and charting functions:
Function list by category
The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the Type of function column for more details and examples.
| Type of function | Supported functions and syntax | Description |
|---|---|---|
| Aggregate functions | avg(<value>)
|
Returns the average of the values in a field. |
count(<value>)
|
Returns the number of occurrences in a field. | |
distinct_count(<value>)
|
Returns a count of the distinct values in a field. | |
estdc(<value>)
|
Returns an estimated count of the distinct values in a field. | |
estdc_error(<value>)
|
Returns the theoretical error of the estimated count of the distinct values in a field. | |
max(<value>)
|
Returns the maximum value in a field. | |
mean(<value>)
|
Returns the arithmetic mean of the values in a field. | |
median(<value>)
|
Returns the middle-most value in a field. | |
min(<value>)
|
Returns the minimum value in a field. | |
mode(<value>)
|
Returns the most frequent value in a field. | |
perc(<value>,<percentile>)
|
Returns the nth percentile of the values in a numeric field. There are three percentile functions: exactperc, perc, and upperperc().
| |
range(<value>)
|
Returns the difference between the maximum and minimum values in a field. | |
stdev(<value>)
|
Returns the sample standard deviation of the values in a field. | |
stdevp(<value>)
|
Returns the population standard deviation of the values in a field. | |
sum(<value>)
|
Returns the sum of the values in a field. | |
sumsq(<value>)
|
Returns the sum of the squares of the values in a field. | |
var(<value>)
|
Returns the sample variance of the values in a field. | |
varp(<value>)
|
Returns the population variance of the values in a field. | |
| Event order functions | first(<value>)
|
Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the stats command.
|
last(<value>)
|
Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the stats command.
| |
| Multivalue and array functions | dataset()
|
Aggregates events into arrays of SPL2 field-value objects. |
list(<value>)
|
Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events. | |
pivot(<key>,<value>)
|
Aggregates the values in a field and returns the results as an object. | |
values(<value>)
|
Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical. | |
| Time functions | earliest(<value>)
|
Returns the chronologically earliest seen occurrence of a value in a field. |
earliest_time(<value>)
|
Returns the UNIX time of the earliest occurrence of a value in a field. | |
latest(<value>)
|
Returns the chronologically latest seen occurrence of a value in a field. | |
latest_time(<value>)
|
Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with earliest, earliest_time, and latest to calculate the rate of increase for an accumulating counter.
| |
per_day(<value>)
|
Returns the values in a field or eval expression for each day. | |
per_hour(<value>)
|
Returns the values in a field or eval expression for each hour. | |
per_minute(<value>)
|
Returns the values in a field or eval expression for each minute. | |
per_second(<value>)
|
Returns the values in a field or eval expression for each second. | |
rate(<value>)
|
Returns the per-second rate change of the value of the field. Represents (latest - earliest) / (latest_time - earliest_time) Requires the earliest and latest values of the field to be numerical, and the earliest_time and latest_time values to be different.
| |
span(<time>,<span-length>)
|
Groups search results by the timespan you specify. | |
sparkline(<aggregate-function>(<value>),<span-length>)
|
Produces time-based trendline charts in the search results. |
Alphabetical list of functions
The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links for more details and examples.
| Supported functions and syntax | Description | Type of function |
|---|---|---|
avg(<value>)
|
Returns the average of the values in a field. | Aggregate functions |
count(<value>)
|
Returns the number of occurrences in a field. | Aggregate functions |
dataset()
|
Aggregates events into arrays of SPL2 field-value objects. | Multivalue and array functions |
distinct_count(<value>)
|
Returns a count of the distinct values in a field. | Aggregate functions |
earliest(<value>)
|
Returns the chronologically earliest seen occurrence of a value in a field. | Time functions |
earliest_time(<value>)
|
Returns the UNIX time of the earliest occurrence of a value of the field. | Time functions |
estdc(<value>)
|
Returns an estimated count of the distinct values in a field. | Aggregate functions |
estdc_error(<value>)
|
Returns the theoretical error of the estimated count of the distinct values in a field. | Aggregate functions |
first(<value>)
|
Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the stats command.
|
Event order functions |
last(<value)
|
Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the stats command.
|
Event order functions |
latest(<value>)
|
Returns the chronologically latest seen occurrence of a value in a field. | Time functions |
latest_time(<value>)
|
Returns the UNIX time of the latest occurrence of a value in a field. | Time functions |
list(<value>)
|
Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events. | Multivalue and array functions |
max(<value>)
|
Returns the maximum value in a field. | Aggregate functions |
mean(<value>)
|
Returns the arithmetic mean of the values in a field. | Aggregate functions |
median(<value>)
|
Returns the middle-most value in a field. | Aggregate functions |
min(<value>)
|
Returns the minimum value in a field. | Aggregate functions |
mode(<value>)
|
Returns the most frequent value in a field. | Aggregate functions |
percentile(<value>,<percentile>)
|
Returns the nth percentile of the values in a numeric field. There are three percentile functions: exactperc, percentile, and upperperc().
|
Aggregate functions |
per_day(<value>)
|
Returns the values in a field or eval expression for each day. | Time functions |
per_hour(<value>)
|
Returns the values in a field or eval expression for each hour. | Time functions |
per_minute(<value>)
|
Returns the values in a field or eval expression for each minute. | Time functions |
per_second(<value>)
|
Returns the values in a field or eval expression for each second. | Time functions |
pivot(<key>,<value>)
|
Aggregates the values in a field and returns the results as an object. | Multivalue and array functions |
range(<value>)
|
Returns the difference between the maximum and minimum values in a field. | Aggregate functions |
rate(<value>)
|
Returns the per-second rate change of the value of the field. Represents (latest - earliest) / (latest_time - earliest_time) Requires the earliest and latest values of the field to be numerical, and the earliest_time and latest_time values to be different.
|
Time functions |
span(<time>,<span-length>)
|
Groups search results by the timespan you specify. | Time functions |
sparkline(<aggregate-function>(<value>),<span-length>)
|
Produces time-based trendline charts in the search results. | Time functions |
stdev(<value>)
|
Returns the sample standard deviation of the values in a field. | Aggregate functions |
stdevp(<value>)
|
Returns the population standard deviation of the values in a field. | Aggregate functions |
sum(<value>)
|
Returns the sum of the values in a field. | Aggregate functions |
sumsq(<value>)
|
Returns the sum of the squares of the values in a field. | Aggregate functions |
var(<value>)
|
Returns the sample variance of the values in a field. | Aggregate functions |
varp(<value>)
|
Returns the population variance of the values in a field. | Aggregate functions |
values(<value>)
|
Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical. | Multivalue and array functions |
See also
Last modified on 17 May, 2023
| Overview of SPL2 stats and chart functions | Aggregate functions |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!