Splunk Cloud

Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Statistical eval functions

The following list contains the evaluation functions that you can use to calculate statistics.

For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.

In addition to these functions, there is a comprehensive set of statistical functions that you can use with the stats, chart, and related commands.

max(X,...)

Description

This function takes an arbitrary number of numeric or string arguments, and returns the maximum. Strings are greater than numbers.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic example

The following example returns either "foo" or field, depending on the value of field.

... | eval n=max(1, 3, 6, 7, "foo", field)


min(X,...)

Description

This function takes an arbitrary number of numeric or string arguments, and returns the minimum. Strings are greater than numbers.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic example

The following example returns either 1 or field, depending on the value of field.

... | eval n=min(1, 3, 6, 7, "foo", field)


random()

Description

This function takes no arguments and returns a pseudo-random integer ranging from zero to 231-1.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example returns a random integer, such as 0...2147483647.

... | eval n=random()


The following example returns a random number within a specified range. In this example, the random number is between 1 and 100,000.

... | eval n=(random() % 100000) + 1


This example takes a random number and uses the modulo mathematical operator ( % ) to divide the random number by 100000. This ensures that the random number returned is not greater than 100000. The number remaining after the division is increased by 1 to ensure that the number is at least greater than or equal to 1.

Last modified on 06 September, 2019
PREVIOUS
Multivalue eval functions 		  NEXT
Text functions

This documentation applies to the following versions of Splunk Cloud: 7.0.13, 8.1.2011, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters