fieldsummary command calculates summary statistics for all fields or a subset of the fields in your events. The summary information is displayed as a results table.
fieldsummary [maxvals=<unsigned_int>] [<wc-field-list>]
- Syntax: maxvals=<unsigned_int>
- Description: Specifies the maximum distinct values to return for each field. Cannot be negative. Set
maxvals = 0to return all available distinct values for each field.
- Default: 100
- Syntax: <field> ...
- Description: A single field name or a space-delimited list of field names. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. For example, if you want to specify all fields that start with "value", you can use a wildcard such as
fieldsummary command is a dataset processing command. See Command types.
fieldsummary command displays the summary information in a results table. The following information appears in the results table:
|Summary field name||Description|
||The field name in the event.|
||The number of events/results with that field.|
||The number of unique values in the field.|
||Whether or not the field is exact. This is related to the distinct count of the field values. If the number of values of the field exceeds |
||If the field is numeric, the maximum of its value.|
||If the field is numeric, the mean of its values.|
||If the field is numeric, the minimum of its values.|
||The count of numeric values in the field. This would not include NULL values.|
||If the field is numeric, the standard deviation of its values.|
||The distinct values of the field and count of each value. The values are sorted first by highest count and then by distinct value, in ascending order.|
1. Return summaries for all fields
This example returns summaries for all fields in the
_internal index from the last 15 minutes.
index=_internal earliest=-15m latest=now | fieldsummary
In this example, the results in the
stdev fields are formatted to display up to 4 decimal points.
2. Return summaries for specific fields
This example returns summaries for fields in the
_internal index with names that contain "size" and "count". The search returns only the top 10 values for each field from the last 15 minutes.
index=_internal earliest=-15m latest=now | fieldsummary maxvals=10 *size* *count*
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2305 (latest FedRAMP release), 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 8.2.2112