Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Functions for stats, chart, and timechart

These are statistical functions that you can use with the chart, stats, and timechart commands.

  • Functions that are relevant for stats are also relevant for eventstats and streamstats.
  • Functions that are relevant for chart, stats, and timechart are also relevant for their respective summary indexing counterparts: sichart, sistats, and sitimechart.


Function Description Command(s) Example(s)
avg(X) This function returns the average of the values of field X. See also, mean(X). chart, stats, timechart This examples returns the average response time:

avg(responseTime)

c(X) | count(X) This function returns the number of occurrences of the field X. To indicate a specific field value to match, format X as eval(field="value"). chart, stats, timechart, sparkline() This example returns the count of events where status has the value "404":

count(eval(status="404"))

These generate sparklines for the counts of events. The first looks at the _raw field. The second counts events with a user field:

sparkline(count)

sparkline(count(user))

dc(X) | distinct_count(X) This function returns the count of distinct values of the field X. chart, stats, timechart, sparkline() This example generates sparklines for the distinct count of devices and renames the field, "numdevices":

sparkline(dc(device)) AS numdevices

This example counts the distinct sources for each sourcetype, and buckets the count for each five minute spans:

sparkline(dc(source,5m)) by sourcetype

earliest(X) This function returns the chronologically earliest seen occurrence of a value of a field X. chart, stats, timechart
estdc(X) This function returns the estimated count of the distinct values of the field X. chart, stats, timechart
estdc_error(X) This function returns the theoretical error of the estimated count of the distinct values of the field X. The error represents a ratio of abs(estimate_value - real_value)/real_value. chart, stats, timechart
first(X) This function returns the first seen value of the field X. In general, the first seen value of the field the most recent instance of this field, relative to the input order of events into the stats command. chart, stats, timechart
last(X) This function returns the last seen value of the field X. In general, the last seen value of the field relative to the input order of events into the stats command. chart, stats, timechart
latest(X) This function returns the chronologically latest seen occurrence of a value of a field X. chart, stats, timechart
list(X) This function returns the list of all values of the field X as a multi-value entry. The order of the values reflects the order of input events. chart, stats, timechart
max(X) This function returns the maximum value of the field X. If the values of X are non-numeric, the max is found from lexicographic ordering. chart, stats, timechart, sparkline() This example returns the maximum value of "size":

max(size)

mean(X) This function returns the arithmetic mean of the field X. See also, avg(X). chart, stats, timechart, sparkline() This example returns the mean of "kbps" values:

mean(kbps)

median(X) This function returns the middle-most value of the field X. chart, stats, timechart
min(X) This function returns the minimum value of the field X. If the values of X are non-numeric, the min is found from lexicographic ordering. chart, stats, timechart
mode(X) This function returns the most frequent value of the field X. chart, stats, timechart
p<X>(Y) | perc<X>(Y) This function returns the X-th percentile value of the field Y. chart, stats, timechart This example returns the 5th percentile value of a field "total":

perc5(total)

per_day(X) This function returns the values of field X per day. timechart This example returns the values of "total" per day.

per_day(total)

per_hour(X) This function returns the values of field X per hour. timechart This example returns the values of "total" per hour.

per_hour(total)

per_minute(X) This function returns the values of field X per minute. timechart This example returns the values of "total" per minute.

per_minute(total)

per_second(X) This function returns the values of field X per second. timechart This example returns values of "kb" per second:

per_second(kb)

range(X) This function returns the difference between the max and min values of the field X ONLY IF the value of X are numeric. chart, stats, timechart, sparkline()
stdev(X) This function returns the sample standard deviation of the field X. chart, stats, timechart, sparkline() This example returns the standard deviation of wildcarded fields "*delay" which can apply to both, "delay" and "xdelay".

stdev(*delay)

stdevp(X) This function returns the population standard deviation of the field X. chart, stats, timechart, sparkline()
sum(X) This function returns the sum of the values of the field X. chart, stats, timechart, sparkline() sum(eval(date_hour * date_minute))
sumsq(X) This function returns the sum of the squares of the values of the field X. chart, stats, timechart, sparkline()
values(X) This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical. chart, stats, timechart
var(X) This function returns the sample variance of the field X. chart, stats, timechart, sparkline()
varp(X) This function returns the population variance of the field X. chart, stats, timechart, sparkline().
PREVIOUS
Functions for eval and where
  NEXT
Common date and time format variables

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters