Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Statistical and charting functions

You can use the statistical and charting functions with the chart, stats, and timechart commands.

Support for related commands

The functions can also be used with related statistical and charting commands. The following table lists the commands supported by the statistical and charting functions and the related command that can also use these functions.

Command Supported related commands
chart
stats
timechart

Functions that you can use to create sparkline charts are noted in the documentation for each function. Sparkline is a function that applies to only the chart and stats commands, and allows you to call other functions. For more information, see Add sparklines to search results in the Search Manual.

Using eval expressions in statistical and charting functions

In some of the examples for the statistical and charting functions you might see eval expressions.

Using an eval expression in a statistical or charting function is a shortcut for specifying an eval command that creates a field, followed by a stats command that references that field.

For example:

... | stats count(eval(status="404")) AS count_status BY sourcetype

Here's another example:

... | timechart eval(round(avg(cpu_seconds),2)) BY processor

When you use an eval expression with the timechart command, you must also use BY clause.


As a shortcut, you can use an eval <expression> in a statistical or charting function where you would normally use a <field>. One example of the eval <expression> syntax is:

... | stats func(eval(<expression>)) 

This eval <expression> syntax is equivalent to this command syntax:

... | eval temp_field = <expression> | stats func(temp_field)

For additional information, see Use stats with eval expressions and function in the Search Manual.

How field values are processed

Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.

The following functions process the field values as literal string values, even though the values are numbers.

  • count
  • distinct_count
  • earliest
  • estdc
  • estdc_error
  • first
  • latest
  • last
  • list
  • max
  • min
  • mode
  • values

For example, you use the distinct_count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.

The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, the values "1", "1.0", and "01" are processed as the same numeric value.

Supported functions and syntax

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the table to learn more about each function examples, and to see examples.

Type of function Supported functions and syntax Description
Aggregate functions avg(X) Returns the average of the values in the field X.
count(X) Returns the number of occurrences where the field that you specify contains any value (is not empty. You can also count the occurrences of a specific value in the field by using the eval command with the count function. For example: count eval(field_name="value").
distinct_count(X) Returns the count of distinct values in the field X.
estdc(X) Returns the estimated count of the distinct values in the field X.
estdc_error(X) Returns the theoretical error of the estimated count of the distinct values in the field X. The error represents a ratio of the absolute_value(estimate_distinct_count - real_distinct_count)/real_distinct_count.
max(X) Returns the maximum value of the field X. If the values of X are non-numeric, the maximum value is found using lexicographical ordering. This function processes field values as numbers if possible, otherwise processes field values as strings.
mean(X) Returns the arithmetic mean of the field X.
median(X) Returns the middle-most value of the field X.
min(X) Returns the minimum value of the field X. If the values of X are non-numeric, the minimum value is found using lexicographical ordering.
mode(X) Returns the most frequent value of the field X.
percentile<X>(Y) Returns the X-th percentile value of the numeric field Y. Valid values of X are integers from 1 to 99.


Additional percentile functions are upperperc<X>(Y) and exactperc<X>(Y).

range(X) Returns the difference between the maximum and minimum values of the field X ONLY IF the values of X are numeric.
stdev(X) Returns the sample standard deviation of the field X.
stdevp(X) Returns the population standard deviation of the field X.
sum(X) Returns the sum of the values of the field X.
sumsq(X) Returns the sum of the squares of the values of the field X.
var(X) Returns the sample variance of the field X.
varp(X) Returns the population variance of the field X.
Event order functions first(X) Returns the first seen value of the field X. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command.
last(X) Returns the last seen value of the field X. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command.
Multivalue stats and chart functions list(X) Returns a list of up to 100 values of the field X as a multivalue entry. The order of the values reflects the order of input events.
values(X) Returns the list of all distinct values of the field X as a multivalue entry. The order of the values is lexicographical.
Time functions earliest(X) Returns the chronologically earliest (oldest) seen occurrence of a value of a field X.
earliest_time(X) Returns the UNIX time of the earliest (oldest) occurrence of a value of the field. Used in conjunction with earliest(x), latest(x), and latest_time(x) to calculate the rate of increase for an accumulating counter.
latest(X) Returns the chronologically latest (most recent) seen occurrence of a value of a field X.
latest_time(X) Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with earliest(x), earliest_time(x), and latest(x) to calculate the rate of increase for an accumulating counter.
per_day(X) Returns the values of field X, or eval expression X, for each day.
per_hour(X) Returns the values of field X, or eval expression X, for each hour.
per_minute(X) Returns the values of field X, or eval expression X, for each minute.
per_second(X) Returns the values of field X, or eval expression X, for each second.
rate(X) Returns the per-second rate change of the value of the field. Represents (latest(X) - earliest(X)) / (latest_time(X) - earliest_time(X)) Requires the earliest(X) and latest(X) values of the field to be numerical, and the earliest_time(X) and latest_time(X) values to be different.

See also

Evaluation functions

stats, chart, timechart, eventstats, streamstats, geostats

Last modified on 12 October, 2020
Trig and Hyperbolic functions   Aggregate functions

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters