Statistical and charting functions
You can use the statistical and charting functions with the
chart,
stats, and
timechart commands.
The functions can also be used with related statistical and charting commands. The following table lists the commands supported by the statistical and charting functions and the related command that can also use these functions.
| Command | Supported related commands |
|---|---|
chart
|
|
stats
|
|
timechart
|
Functions that you can use to create sparkline charts are noted in the documentation for each function. Sparkline is a function that applies to only the chart and stats commands, and allows you to call other functions. For more information, see Add sparklines to search results in the Search Manual.
How field values are processed
Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.
The following functions process the field values as literal string values, even though the values are numbers.
|
|
|
|
For example, you use the distinct_count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.
The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, the values "1", "1.0", and "01" are processed as the same numeric value.
Supported functions and syntax
There are two ways that you can see information about the supported statistical and charting functions:
Function list by category
The following table is a quick reference of the supported statistical and charting functions, organized by category. This table provides a brief description for each functions. Use the links in the table to learn more about each function and to see examples.
| Type of function | Supported functions and syntax | Description |
|---|---|---|
| Aggregate functions | avg(<value>)
|
Returns the average of the values in the field specified. |
count(<value>)
|
Returns the number of occurrences where the field that you specify contains any value (is not empty). You can also count the occurrences of a specific value in the field by using the eval command with the count function. For example: count( eval(field_name="value")).
| |
distinct_count(<value>)
|
Returns the count of distinct values in the field specified. | |
estdc(<value>)
|
Returns the estimated count of the distinct values in the field specified. | |
estdc_error(<value>)
|
Returns the theoretical error of the estimated count of the distinct values in the field specified. The error represents a ratio of the absolute_value(estimate_distinct_count - real_distinct_count)/real_distinct_count.
| |
exactperc<percentile>(<value>)
|
Returns a percentile value of the numeric field specified. Provides the exact value, but is very resource expensive for high cardinality fields. An alternative is perc.
| |
max(<value>)
|
Returns the maximum value in the field specified. If the field values are non-numeric, the maximum value is found using lexicographical ordering. This function processes field values as numbers if possible, otherwise processes field values as strings. | |
mean(<value>)
|
Returns the arithmetic mean of the values in the field specified. | |
median(<value>)
|
Returns the middle-most value of the values in the field specified. | |
min(<value>)
|
Returns the minimum value in the field specified. If the field values are non-numeric, the minimum value is found using lexicographical ordering. | |
mode(<value>)
|
Returns the most frequent value in the field specified. | |
percentile<percentile>(<value>)
|
Returns the N-th percentile value of all the values in the numeric field specified. Valid field values are integers from 1 to 99.
| |
range(<value>)
|
If the field values are numeric, returns the difference between the maximum and minimum values in the field specified. | |
stdev(<value>)
|
Returns the sample standard deviation of the values in the field specified. | |
stdevp(<value>)
|
Returns the population standard deviation of the values in the field specified. | |
sum(<value>)
|
Returns the sum of the values in the field specified. | |
sumsq(<value>)
|
Returns the sum of the squares of the values in the field specified. | |
upperperc<percentile>(<value>)
|
Returns an approximate percentile value, based on the requested percentile of the numeric field.
| |
var(<value>)
|
Returns the sample variance of the values in the field specified. | |
varp(<value>)
|
Returns the population variance of the values in the field specified. | |
| Event order functions | first(<value>
|
Returns the first seen value in a field. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command. |
last(<value>)
|
Returns the last seen value in a field. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command. | |
| Multivalue stats and chart functions | list(<value>)
|
Returns a list of up to 100 values in a field as a multivalue entry. The order of the values reflects the order of input events. |
values(<value>)
|
Returns the list of all distinct values in a field as a multivalue entry. The order of the values is lexicographical. | |
| Time functions | earliest(<value>)
|
Returns the chronologically earliest (oldest) seen occurrence of a value in a field. |
earliest_time(<value>)
|
Returns the UNIX time of the earliest (oldest) occurrence of a value of the field. Used in conjunction with the earliest, latest, and latest_time functions to calculate the rate of increase for an accumulating counter.
| |
latest(<value>)
|
Returns the chronologically latest (most recent) seen occurrence of a value in a field. | |
latest_time(<value>)
|
Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with the earliest, earliest_time, and latest functions to calculate the rate of increase for an accumulating counter.
| |
per_day(<value>)
|
Returns the values in a field or eval expression for each day. | |
per_hour(<value>)
|
Returns the values in a field or eval expression for each hour. | |
per_minute(<value>)
|
Returns the values in a field or eval expression for each minute. | |
per_second(<value>)
|
Returns the values in a field or eval expression for each second. | |
rate(<value>)
|
Returns the per-second rate change of the value of the field. Represents (latest - earliest) / (latest_time - earliest_time) Requires the earliest and latest values of the field to be numerical, and the earliest_time and latest_time values to be different.
| |
rate_avg(<value>)
|
Returns the average rates for the time series associated with a specified accumulating counter metric. | |
rate_sum(<value>)
|
Returns the summed rates for the time series associated with a specified accumulating counter metric. |
Alphabetical list of functions
The following table is a quick reference of the supported statistical and charting functions, organized alphabetically. This table provides a brief description for each function. Use the links in the table to learn more about each function and to see examples.
| Supported functions and syntax | Description | Type of function |
|---|---|---|
avg(<value>)
|
Returns the average of the values in the field specified. | Aggregate functions |
count(<value>)
|
Returns the number of occurrences where the field that you specify contains any value (is not empty). You can also count the occurrences of a specific value in the field by using the eval command with the count function. For example: count(eval(field_name="value")).
|
Aggregate functions |
distinct_count(<value)
|
Returns the count of distinct values in the field specified. | Aggregate functions |
earliest(<value>)
|
Returns the chronologically earliest (oldest) seen occurrence of a value in the field specified. | Time functions |
earliest_time(<value>)
|
Returns the UNIX time of the earliest (oldest) occurrence of a value in the field specified. Used in conjunction with the earliest, latest, and latest_time functions to calculate the rate of increase for an accumulating counter.
|
Time functions |
estdc(<value>)
|
Returns the estimated count of the distinct values in the field specified. | Aggregate functions |
estdc_error(<value>)
|
Returns the theoretical error of the estimated count of the distinct values in the field specified. The error represents a ratio of the absolute_value(estimate_distinct_count - real_distinct_count)/real_distinct_count.
|
Aggregate functions |
exactperc<percentile>(<value>)
|
Returns a percentile value for the numeric field specified. Provides the exact value, but is very resource expensive for high cardinality fields. An alternative is perc.
|
Aggregate functions |
first(<value>)
|
Returns the first seen value in a field. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command. | Event order functions |
last(<value>)
|
Returns the last seen value in a field. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command. | Event order functions |
latest(<value>)
|
Returns the chronologically latest (most recent) seen occurrence of a value in a field. | Time functions |
latest_time(<value>)
|
Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with the earliest, earliest_time, and latest functions to calculate the rate of increase for an accumulating counter.
|
Time functions |
list(<value>)
|
Returns a list of up to 100 values in a field as a multivalue entry. The order of the values reflects the order of input events. | Multivalue stats and chart functions |
max(<value>)
|
Returns the maximum value in the field specified. If the field values are non-numeric, the maximum value is found using lexicographical ordering. This function processes field values as numbers if possible, otherwise processes field values as strings. | Aggregate functions |
mean(<value>)
|
Returns the arithmetic mean of the values in the field specified. | Aggregate functions |
median(<value>)
|
Returns the middle-most value of the values in the field specified. | Aggregate functions |
min(<value>)
|
Returns the minimum value in the field specified. If the field values are non-numeric, the minimum value is found using lexicographical ordering. | Aggregate functions |
mode(<value>)
|
Returns the most frequent value in the field specified. | Aggregate functions |
perc<percentile>(<value>)
|
Returns the N-th percentile value of all the values in the numeric field specified. Valid field values are integers from 1 to 99.
|
Aggregate functions |
per_day(<value>)
|
Returns the values in a field or eval expression for each day. | Time functions |
per_hour(<value>)
|
Returns the values in a field or eval expression for each hour. | Time functions |
per_minute(<value>)
|
Returns the values in a field or eval expression for each minute. | Time functions |
per_second(<value>)
|
Returns the values in a field or eval expression for each second. | Time functions |
range(<value>)
|
If the field values are numeric, returns the difference between the maximum and minimum values in the field specified. | Aggregate functions |
rate(<value>)
|
Returns the per-second rate change of the value of the field. Represents (latest - earliest) / (latest_time - earliest_time) Requires the earliest and latest values of the field to be numerical, and the earliest_time and latest_time values to be different.
|
Time functions |
rate_avg(<value>)
|
Returns the average rates for the time series associated with a specified accumulating counter metric. | Time functions |
rate_sum(<value>)
|
Returns the summed rates for the time series associated with a specified accumulating counter metric. | Time functions |
stdev(<value>)
|
Returns the sample standard deviation of the values in the field specified. | Aggregate functions |
stdevp(<value>)
|
Returns the population standard deviation of the values in the field specified. | Aggregate functions |
sum(<value>)
|
Returns the sum of the values in the field specified. | Aggregate functions |
sumsq(<value>)
|
Returns the sum of the squares of the values in the field specified. | Aggregate functions |
upperperc<percentile>(<value>)
|
Returns an approximate percentile value, based on the requested percentile of the numeric field.
|
Aggregate functions |
values(<value>)
|
Returns the list of all distinct values in a field as a multivalue entry. The order of the values is lexicographical. | Multivalue stats and chart functions |
var(<value>)
|
Returns the sample variance of the values in the field specified. | Aggregate functions |
varp(<value>)
|
Returns the population variance of the values in the field specified. | Aggregate functions |
See also
- Commands
- chart
- geostats
- eventstats
- stats
- streamstats
- timechart
- Functions
- Evaluation functions
Answers
Have questions? Visit Splunk Answers and search for a specific function or command.
| Trig and Hyperbolic functions | Aggregate functions |
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!