fieldsummary
Description
The fieldsummary
command calculates summary statistics for all fields or a subset of the fields in your events. The summary information is displayed as a results table.
Syntax
fieldsummary [maxvals=<unsigned_int>] [<wc-field-list>]
Optional arguments
- maxvals
- Syntax: maxvals=<unsigned_int>
- Description: Specifies the maximum distinct values to return for each field. Cannot be negative. Set
maxvals = 0
to return all available distinct values for each field. - Default: 100
- wc-field-list
- Syntax: <field> ...
- Description: A single field name or a space-delimited list of field names. You can use the asterisk ( * ) as a wildcard to specify a list of fields with similar names. For example, if you want to specify all fields that start with "value", you can use a wildcard such as
value*
.
Usage
The fieldsummary
command is a dataset processing command. See Command types.
The fieldsummary
command displays the summary information in a results table. The following information appears in the results table:
Summary field name | Description |
---|---|
field
|
The field name in the event. |
count
|
The number of events/results with that field. |
distinct_count
|
The number of unique values in the field. |
is_exact
|
Whether or not the field is exact. This is related to the distinct count of the field values. If the number of values of the field exceeds maxvals , then fieldsummary will stop retaining all the values and compute an approximate distinct count instead of an exact one. 1 means it is exact, 0 means it is not.
|
max
|
If the field is numeric, the maximum of its value. |
mean
|
If the field is numeric, the mean of its values. |
min
|
If the field is numeric, the minimum of its values. |
numeric_count
|
The count of numeric values in the field. This would not include NULL values. |
stdev
|
If the field is numeric, the standard deviation of its values. |
values
|
The distinct values of the field and count of each value. The values are sorted first by highest count and then by distinct value, in ascending order. |
Examples
1. Return summaries for all fields
This example returns summaries for all fields in the _internal
index from the last 15 minutes.
index=_internal earliest=-15m latest=now | fieldsummary
In this example, the results in the max
, min
, and stdev
fields are formatted to display up to 4 decimal points.
2. Return summaries for specific fields
This example returns summaries for fields in the _internal
index with names that contain "size" and "count". The search returns only the top 10 values for each field from the last 15 minutes.
index=_internal earliest=-15m latest=now | fieldsummary maxvals=10 *size* *count*
See also
fields | filldown |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2406, 8.2.2201, 8.2.2203, 8.2.2112, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release)
Feedback submitted, thanks!