Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

fieldsummary

Description

The fieldsummary command calculates summary statistics for all fields or a subset of the fields in your events. The summary information is displayed as a results table.

Syntax

fieldsummary [maxvals=<num>] [<wc-field-list>]

Optional arguments

maxvals
Syntax: maxvals=<num>
Description: Specifies the maximum distinct values to return for each field.
Default: 100
wc-field-list
Description: A field or list of fields. You can specify multiple, similar field names using the asterisk ( * ) wildcard.

Usage

The fieldsummary command displays the summary information in a results table. The following information appears in the results table:

Summary field name Description
field The field name in the event.
count The number of events/results with that field.
distinct_count The number of unique values in the field.
is_exact Whether or not the field is exact. This is related to the distinct count of the field values. If the number of values of the field exceeds maxvals, then fieldsummary will stop retaining all the values and compute an approximate distinct count instead of an exact one. 1 means it is exact, 0 means it is not.
max If the field is numeric, the maximum of its value.
mean If the field is numeric, the mean of its values.
min If the field is numeric, the minimum of its values.
numeric_count The count of numeric values in the field. This would not include NULL values.
stdev If the field is numeric, the standard deviation of its values.
values The distinct values of the field and count of each value.

Examples

1. Return summaries for all fields

This example returns summaries for all fields in the _internal index from the last 15 minutes.

index=_internal earliest=-15m latest=now | fieldsummary


This image shows a table of results. The fields in the table are the fields that are described in the Usage section of this topic.

2. Return summaries for specific fields

This example returns summaries for fields in the _internal index with names that contain "size" and "count". The search returns only the top 10 values for each field from the last 15 minutes.

index=_internal earliest=-15m latest=now | fieldsummary maxvals=10 *size* *count*


This image shows a table of results. The fields in the table are the fields that are described in the Usage section of this topic.

See also

analyzefields, anomalies, anomalousvalue, stats


Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the fieldsummary command.

Last modified on 18 May, 2018
fields   filldown

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters