fieldsummary command calculates summary statistics for all fields or a subset of the fields in your events. The summary information is displayed as a results table.
fieldsummary [maxvals=<num>] [<wc-field-list>]
- Syntax: maxvals=<num>
- Description: Specifies the maximum distinct values to return for each field.
- Default: 100
- Description: A field or list of fields. You can specify multiple, similar field names using the asterisk ( * ) wildcard.
fieldsummary command displays the summary information in a results table. The following information appears in the results table:
|Summary field name||Description|
||The field name in the event.|
||The number of events/results with that field.|
||The number of unique values in the field.|
|| Whether or not the field is exact. This is related to the distinct count of the field values. If the number of values of the field exceeds |
||If the field is numeric, the maximum of its value.|
||If the field is numeric, the mean of its values.|
||If the field is numeric, the minimum of its values.|
||The count of numeric values in the field. This would not include NULL values.|
||If the field is numeric, the standard deviation of its values.|
||The distinct values of the field and count of each value.|
1. Return summaries for all fields
This example returns summaries for all fields in the
_internal index from the last 15 minutes.
index=_internal earliest=-15m latest=now | fieldsummary
In this example, the results in the
stdev fields are formatted to display up to 4 decimal points.
2. Return summaries for specific fields
This example returns summaries for fields in the
_internal index with names that contain "size" and "count". The search returns only the top 10 values for each field from the last 15 minutes.
index=_internal earliest=-15m latest=now | fieldsummary maxvals=10 *size* *count*
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the fieldsummary command.
This documentation applies to the following versions of Splunk Cloud™: 7.2.7, 7.1.3, 7.1.6, 7.2.3, 7.2.4, 7.2.6