Splunk® Enterprise

Search Reference

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Statistical eval functions

The following list contains the evaluation functions that you can use to calculate statistics.

For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.

In addition to these functions, there is a comprehensive set of statistical functions that you can use with the stats, chart, and related commands.

max(X,...)

Description

This function takes an arbitrary number of numeric or string arguments, and returns the maximum. Strings are greater than numbers.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example returns either "foo" or the value in the name field. Splunk searches use lexicographical order, where numbers are sorted before letters. If the value in the name field is "baz", then "foo" is returned. If the value in the name field is "zaz", then "zaz" is returned.

... | eval n=max(1, 3, 6, 7, "foo", name)


The following example returns the maximum value in a multivalue field.

This search creates a field called n with a single value, which is a series of numbers. The makemv command is used to make the single value into multiple values, each of which appears on it's own row in the results. Another new field called maxn is created which takes the values in n and returns the maximum value, 6.

| makeresults | eval n = "1 3 5 6 4 2" | makemv n | eval maxn = max(n)

The results look like this:

_time maxn n
2021-01-29 10:42:37 6 1

3
5
6
4
2

min(X,...)

Description

This function takes an arbitrary number of numeric or string arguments, and returns the minimum. Strings are greater than numbers.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example returns either 3 or the value in the size field. Splunk searches use lexicographical order, where numbers are sorted before letters. If the value in the size field is 9, then 3 is returned. If the value in the size field is 1, then 1 is returned.

... | eval n=min(3, 6, 7, "maria", size)


The following example returns the minimum value in a multivalue field.

This search creates a field called n with a single value, which is a series of numbers. The makemv command is used to make the single value into multiple values, each of which appears on it's own row in the results. Another new field called minn is created which takes the values in n and returns the minimum value, 2.

| makeresults | eval n = "3 5 6 4 7 2" | makemv n | eval minn = min(n)

The results look like this:

_time minn n
2021-01-29 10:42:37 2 3

5
6
4
7
2

random()

Description

This function takes no arguments and returns a pseudo-random integer ranging from zero to 231-1.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example returns a random integer, such as 0...2147483647.

... | eval n=random()


The following example returns a random number within a specified range. In this example, the random number is between 1 and 100,000.

... | eval n=(random() % 100000) + 1


This example takes a random number and uses the modulo mathematical operator ( % ) to divide the random number by 100000. This ensures that the random number returned is not greater than 100000. The number remaining after the division is increased by 1 to ensure that the number is at least greater than or equal to 1.

Last modified on 26 October, 2021
 

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters