This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
These are statistical functions that you can use with the
chart,
stats, and
timechart commands.
Note: Functions that are relevant for stats are also relevant for eventstats and streamstats.
Note: Functions that are relevant for chart, stats, and timechart are also relevant for their respective summary indexing counterparts: sichart, sistats, and sitimechart.
| Function | Description | Command(s) | Example(s) |
|---|---|---|---|
avg(X)
| This function returns the average of the values of field X. See also, mean(X). | chart, stats, and timechart
| This examples returns the average response time:
|
c(X) | count(X)
| This function returns the number of occurrences of the field X. To indicate a specific field value to match, format X as eval(field="value"). | chart, stats, and timechart
| This example returns the count of events where status has the value "404":
|
dc(X) | distinct_count(X)
| This function returns the count of distinct values of the field X. | chart, stats, and timechart
| |
first(X)
| This function returns the first seen value of the field X. In general, the first seen value of the field is the chronologically most recent instace of this field. | chart, stats, and timechart
| |
last(X)
| This function returns the last seen value of the field X. | chart, stats, and timechart
| |
list(X)
| This function returns the list of all values of the field X as a multi-value entry. The order of the values reflects the order of input events. | chart, stats, and timechart
| |
max(X)
| This function returns the maximum value of the field X. If the values of X are non-numeric, the max is found from lexicographic ordering. | chart, stats, and timechart
| This example returns the maximum value of "size":
|
mean(X)
| This function returns the arithmetic mean of the field X. See also, avg(X). | chart, stats, and timechart
| This example returns the mean of "kbps" values:
|
median(X)
| This function returns the middle-most value of the field X. | chart, stats, and timechart
| |
min(X)
| This function returns the minimum value of the field X. If the values of X are non-numeric, the min is found from lexicographic ordering. | chart, stats, and timechart
| |
mode(X)
| This function returns the most frequent value of the field X. | chart, stats, and timechart
| |
p<X>(Y) | perc<X>(Y)
| This function returns the X-th percentile value of the field Y. | chart, stats, and timechart
| This example returns the 5th percentile value of a field "total":
|
per_day(X)
| This function returns the values of field X per day. | timechart
| This example returns the values of "total" per day.
|
per_hour(X)
| This function returns the values of field X per hour. | timechart
| This example returns the values of "total" per hour.
|
per_minute(X)
| This function returns the values of field X per minute. | timechart
| This example returns the values of "total" per minute.
|
per_second(X)
| This function returns the values of field X per second. | timechart
| This example returns values of "kb" per second:
|
range(X)
| This function returns the difference between the max and min values of the field X ONLY IF the value of X are numeric. | chart, stats, and timechart
| |
stdev(X)
| This function returns the {sample, population} standard deviation of the field X. | chart, stats, and timechart
| This example returns the standard deviation of wildcarded fields "*delay" which can apply to both, "delay" and "xdelay".
|
sum(X)
| This function returns the sum of the values of the field X. | chart, stats, and timechart
| sum({date_hour * date_minute})
|
values(X)
| This function returns the list of all distinct values of the field X as a multi-value entry. The order of the values is lexicographical. | chart, stats, and timechart
| |
var(X)
| This function returns the {sample, population} variance of the field X. | chart, stats, and timechart
|