Related Answers
Download topic as PDF
fieldsummary
Description
The fieldsummary command calculates summary statistics for all fields or a subset of the fields in your events. The summary information is displayed as a results table.
Syntax
fieldsummary [maxvals=<num>] [<wc-field-list>]
Optional arguments
- maxvals
- Syntax: maxvals=<num>
- Description: Specifies the maximum distinct values to return for each field.
- Default: 100
- wc-field-list
- Description: A field or list of fields. You can specify multiple, similar field names using the asterisk ( * ) wildcard.
Usage
The fieldsummary command displays the summary information in a results table. The following information appears in the results table:
| Summary field name | Description |
|---|---|
field
|
The field name in the event. |
count
|
The number of events/results with that field. |
distinct_count
|
The number of unique values in the field. |
is_exact
|
Whether or not the field is exact. This is related to the distinct count of the field values. If the number of values of the field exceeds maxvals, then fieldsummary will stop retaining all the values and compute an approximate distinct count instead of an exact one. 1 means it is exact, 0 means it is not.
|
max
|
If the field is numeric, the maximum of its value. |
mean
|
If the field is numeric, the mean of its values. |
min
|
If the field is numeric, the minimum of its values. |
numeric_count
|
The count of numeric values in the field. This would not include NULL values. |
stdev
|
If the field is numeric, the standard deviation of its values. |
values
|
The distinct values of the field and count of each value. |
Examples
1. Return summaries for all fields
This example returns summaries for all fields in the _internal index from the last 15 minutes.
index=_internal earliest=-15m latest=now | fieldsummary
2. Return summaries for specific fields
This example returns summaries for fields in the _internal index with names that contain "size" and "count". The search returns only the top 10 values for each field from the last 15 minutes.
index=_internal earliest=-15m latest=now | fieldsummary maxvals=10 *size* *count*
See also
analyzefields, anomalies, anomalousvalue, stats
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the fieldsummary command.
|
PREVIOUS fields |
NEXT filldown |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13
Feedback submitted, thanks!