Splunk® Enterprise

Search Reference

Statistical and charting functions

You can use the statistical and charting functions with the chart, stats, and timechart commands.

Support for related commands

The functions can also be used with related statistical and charting commands. The following table lists the commands supported by the statistical and charting functions and the related command that can also use these functions.

Command Supported related commands
chart
stats
timechart

Functions that you can use to create sparkline charts are noted in the documentation for each function. Sparkline is a function that applies to only the chart and stats commands, and allows you to call other functions. For more information, see Add sparklines to search results in the Search Manual.

How field values are processed

Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.

The following functions process the field values as literal string values, even though the values are numbers.

  • count
  • distinct_count
  • earliest
  • estdc
  • estdc_error
  • first
  • latest
  • last
  • list
  • max
  • min
  • mode
  • values

For example, you use the distinct_count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.

The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, the values "1", "1.0", and "01" are processed as the same numeric value.

Supported functions and syntax

There are two ways that you can see information about the supported statistical and charting functions:

Function list by category

The following table is a quick reference of the supported statistical and charting functions, organized by category. This table provides a brief description for each functions. Use the links in the table to learn more about each function and to see examples.

Type of function Supported functions and syntax Description
Aggregate functions avg(<value>) Returns the average of the values in the field specified.
count(<value>) Returns the number of occurrences where the field that you specify contains any value (is not empty). You can also count the occurrences of a specific value in the field by using the eval command with the count function. For example: count( eval(field_name="value")).
distinct_count(<value>) Returns the count of distinct values in the field specified.
estdc(<value>) Returns the estimated count of the distinct values in the field specified.
estdc_error(<value>) Returns the theoretical error of the estimated count of the distinct values in the field specified. The error represents a ratio of the absolute_value(estimate_distinct_count - real_distinct_count)/real_distinct_count.
exactperc<percentile>(<value>) Returns a percentile value of the numeric field specified. Provides the exact value, but is very resource expensive for high cardinality fields. An alternative is perc.
max(<value>) Returns the maximum value in the field specified. If the field values are non-numeric, the maximum value is found using lexicographical ordering. This function processes field values as numbers if possible, otherwise processes field values as strings.
mean(<value>) Returns the arithmetic mean of the values in the field specified.
median(<value>) Returns the middle-most value of the values in the field specified.
min(<value>) Returns the minimum value in the field specified. If the field values are non-numeric, the minimum value is found using lexicographical ordering.
mode(<value>) Returns the most frequent value in the field specified.
percentile<percentile>(<value>) Returns the N-th percentile value of all the values in the numeric field specified. Valid field values are integers from 1 to 99.


Additional percentile functions are upperperc<percentile>(<value>) and exactperc<percentile>(<value>).

range(<value>) If the field values are numeric, returns the difference between the maximum and minimum values in the field specified.
stdev(<value>) Returns the sample standard deviation of the values in the field specified.
stdevp(<value>) Returns the population standard deviation of the values in the field specified.
sum(<value>) Returns the sum of the values in the field specified.
sumsq(<value>) Returns the sum of the squares of the values in the field specified.
upperperc<percentile>(<value>) Returns an approximate percentile value, based on the requested percentile of the numeric field.


When there are more than 1000 values, the upperperc function gives the approximate upper bound for the percentile requested. Otherwise the upperperc function returns the same percentile as the perc function.

var(<value>) Returns the sample variance of the values in the field specified.
varp(<value>) Returns the population variance of the values in the field specified.
Event order functions first(<value> Returns the first seen value in a field. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command.
last(<value>) Returns the last seen value in a field. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command.
Multivalue stats and chart functions list(<value>) Returns a list of up to 100 values in a field as a multivalue entry. The order of the values reflects the order of input events.
values(<value>) Returns the list of all distinct values in a field as a multivalue entry. The order of the values is lexicographical.
Time functions earliest(<value>) Returns the chronologically earliest (oldest) seen occurrence of a value in a field.
earliest_time(<value>) Returns the UNIX time of the earliest (oldest) occurrence of a value of the field. Used in conjunction with the earliest, latest, and latest_time functions to calculate the rate of increase for an accumulating counter.
latest(<value>) Returns the chronologically latest (most recent) seen occurrence of a value in a field.
latest_time(<value>) Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with the earliest, earliest_time, and latest functions to calculate the rate of increase for an accumulating counter.
per_day(<value>) Returns the values in a field or eval expression for each day.
per_hour(<value>) Returns the values in a field or eval expression for each hour.
per_minute(<value>) Returns the values in a field or eval expression for each minute.
per_second(<value>) Returns the values in a field or eval expression for each second.
rate(<value>) Returns the per-second rate change of the value of the field. Represents (latest - earliest) / (latest_time - earliest_time) Requires the earliest and latest values of the field to be numerical, and the earliest_time and latest_time values to be different.
rate_avg(<value>) Returns the average rates for the time series associated with a specified accumulating counter metric.
rate_sum(<value>) Returns the summed rates for the time series associated with a specified accumulating counter metric.

Alphabetical list of functions

The following table is a quick reference of the supported statistical and charting functions, organized alphabetically. This table provides a brief description for each function. Use the links in the table to learn more about each function and to see examples.

Supported functions and syntax Description Type of function
avg(<value>) Returns the average of the values in the field specified. Aggregate functions
count(<value>) Returns the number of occurrences where the field that you specify contains any value (is not empty). You can also count the occurrences of a specific value in the field by using the eval command with the count function. For example: count(eval(field_name="value")). Aggregate functions
distinct_count(<value) Returns the count of distinct values in the field specified. Aggregate functions
earliest(<value>) Returns the chronologically earliest (oldest) seen occurrence of a value in the field specified. Time functions
earliest_time(<value>) Returns the UNIX time of the earliest (oldest) occurrence of a value in the field specified. Used in conjunction with the earliest, latest, and latest_time functions to calculate the rate of increase for an accumulating counter. Time functions
estdc(<value>) Returns the estimated count of the distinct values in the field specified. Aggregate functions
estdc_error(<value>) Returns the theoretical error of the estimated count of the distinct values in the field specified. The error represents a ratio of the absolute_value(estimate_distinct_count - real_distinct_count)/real_distinct_count. Aggregate functions
exactperc<percentile>(<value>) Returns a percentile value for the numeric field specified. Provides the exact value, but is very resource expensive for high cardinality fields. An alternative is perc. Aggregate functions
first(<value>) Returns the first seen value in a field. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command. Event order functions
last(<value>) Returns the last seen value in a field. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command. Event order functions
latest(<value>) Returns the chronologically latest (most recent) seen occurrence of a value in a field. Time functions
latest_time(<value>) Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with the earliest, earliest_time, and latest functions to calculate the rate of increase for an accumulating counter. Time functions
list(<value>) Returns a list of up to 100 values in a field as a multivalue entry. The order of the values reflects the order of input events. Multivalue stats and chart functions
max(<value>) Returns the maximum value in the field specified. If the field values are non-numeric, the maximum value is found using lexicographical ordering. This function processes field values as numbers if possible, otherwise processes field values as strings. Aggregate functions
mean(<value>) Returns the arithmetic mean of the values in the field specified. Aggregate functions
median(<value>) Returns the middle-most value of the values in the field specified. Aggregate functions
min(<value>) Returns the minimum value in the field specified. If the field values are non-numeric, the minimum value is found using lexicographical ordering. Aggregate functions
mode(<value>) Returns the most frequent value in the field specified. Aggregate functions
perc<percentile>(<value>) Returns the N-th percentile value of all the values in the numeric field specified. Valid field values are integers from 1 to 99.


Additional percentile functions are upperperc and exactperc.

Aggregate functions
per_day(<value>) Returns the values in a field or eval expression for each day. Time functions
per_hour(<value>) Returns the values in a field or eval expression for each hour. Time functions
per_minute(<value>) Returns the values in a field or eval expression for each minute. Time functions
per_second(<value>) Returns the values in a field or eval expression for each second. Time functions
range(<value>) If the field values are numeric, returns the difference between the maximum and minimum values in the field specified. Aggregate functions
rate(<value>) Returns the per-second rate change of the value of the field. Represents (latest - earliest) / (latest_time - earliest_time) Requires the earliest and latest values of the field to be numerical, and the earliest_time and latest_time values to be different. Time functions
rate_avg(<value>) Returns the average rates for the time series associated with a specified accumulating counter metric. Time functions
rate_sum(<value>) Returns the summed rates for the time series associated with a specified accumulating counter metric. Time functions
stdev(<value>) Returns the sample standard deviation of the values in the field specified. Aggregate functions
stdevp(<value>) Returns the population standard deviation of the values in the field specified. Aggregate functions
sum(<value>) Returns the sum of the values in the field specified. Aggregate functions
sumsq(<value>) Returns the sum of the squares of the values in the field specified. Aggregate functions
upperperc<percentile>(<value>) Returns an approximate percentile value, based on the requested percentile of the numeric field.


When there are more than 1000 values, the upperperc function gives the approximate upper bound for the percentile requested. Otherwise the upperperc function returns the same percentile as the perc function.

Aggregate functions
values(<value>) Returns the list of all distinct values in a field as a multivalue entry. The order of the values is lexicographical. Multivalue stats and chart functions
var(<value>) Returns the sample variance of the values in the field specified. Aggregate functions
varp(<value>) Returns the population variance of the values in the field specified. Aggregate functions

See also

Commands
chart
geostats
eventstats
stats
streamstats
timechart
Functions
Evaluation functions

Answers

Have questions? Visit Splunk Answers and search for a specific function or command.

Last modified on 30 August, 2024
Trig and Hyperbolic functions   Aggregate functions

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters