Statistical and charting functions - Splunk Documentation (2024)

You can use the statistical and charting functions with the chart, stats, and timechart commands.

Support for related commands

The functions can also be used with related statistical and charting commands. The following table lists the commands supported by the statistical and charting functions and the related command that can also use these functions.

Command	Supported related commands
`chart`	`sichart`
`stats`	`eventstats` `streamstats` `geostats` `sistats` For the `tstats` and the `mstats` commands, see the documentation for each command for a list of the supported functions.
`timechart`	`sitimechart`

Functions that you can use to create sparkline charts are noted in the documentation for each function. Sparkline is a function that applies to only the chart and stats commands, and allows you to call other functions. For more information, see Add sparklines to search results in the Search Manual.

How field values are processed

Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.

The following functions process the field values as literal string values, even though the values are numbers.

count
distinct_count
earliest

estdc
estdc_error
first

latest
last
list

max
min
mode
values

For example, you use the distinct_count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.

The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, the values "1", "1.0", and "01" are processed as the same numeric value.

Supported functions and syntax

There are two ways that you can see information about the supported statistical and charting functions:

Function list by category
Alphabetical list of functions

Function list by category

The following table is a quick reference of the supported statistical and charting functions, organized by category. This table provides a brief description for each functions. Use the links in the table to learn more about each function and to see examples.

Type of function	Supported functions and syntax	Description
Aggregate functions	`avg(<value>)`	Returns the average of the values in the field specified.
	`count(<value>)`	Returns the number of occurrences where the field that you specify contains any value (is not empty. You can also count the occurrences of a specific value in the field by using the `eval` command with the `count` function. For example: `count eval(field_name="value")`.
	`distinct_count(<value>)`	Returns the count of distinct values in the field specified.
	`estdc(<value>)`	Returns the estimated count of the distinct values in the field specified.
	`estdc_error(<value>)`	Returns the theoretical error of the estimated count of the distinct values in the field specified. The error represents a ratio of the `absolute_value(estimate_distinct_count - real_distinct_count)/real_distinct_count`.
	`exactperc<percentile>(<value>)`	Returns a percentile value of the numeric field specified. Provides the exact value, but is very resource expensive for high cardinality fields. An alternative is `perc`.
	`max(<value>)`	Returns the maximum value in the field specified. If the field values are non-numeric, the maximum value is found using lexicographical ordering. This function processes field values as numbers if possible, otherwise processes field values as strings.
	`mean(<value>)`	Returns the arithmetic mean of the values in the field specified.
	`median(<value>)`	Returns the middle-most value of the values in the field specified.
	`min(<value>)`	Returns the minimum value in the field specified. If the field values are non-numeric, the minimum value is found using lexicographical ordering.
	`mode(<value>)`	Returns the most frequent value in the field specified.
	`percentile<percentile>(<value>)`	Returns the N-th percentile value of all the values in the numeric field specified. Valid field values are integers from 1 to 99. Additional percentile functions are `upperperc<percentile>(<value>)` and `exactperc<percentile>(<value>)`.
	`range(<value>)`	If the field values are numeric, returns the difference between the maximum and minimum values in the field specified.
	`stdev(<value>)`	Returns the sample standard deviation of the values in the field specified.
	`stdevp(<value>)`	Returns the population standard deviation of the values in the field specified.
	`sum(<value>)`	Returns the sum of the values in the field specified.
	`sumsq(<value>)`	Returns the sum of the squares of the values in the field specified.
	`upperperc<percentile>(<value>)`	Returns an approximate percentile value, based on the requested percentile of the numeric field. When there are more than 1000 values, the upperperc function gives the approximate upper bound for the percentile requested. Otherwise the upperperc function returns the same percentile as the `perc` function.
	`var(<value>)`	Returns the sample variance of the values in the field specified.
	`varp(<value>)`	Returns the population variance of the values in the field specified.
Event order functions	`first(<value>`	Returns the first seen value in a field. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command.
Event order functions	`last(<value>)`	Returns the last seen value in a field. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command.
Multivalue stats and chart functions	`list(<value>)`	Returns a list of up to 100 values in a field as a multivalue entry. The order of the values reflects the order of input events.
Multivalue stats and chart functions	`values(<value>)`	Returns the list of all distinct values in a field as a multivalue entry. The order of the values is lexicographical.
Time functions	`earliest(<value>)`	Returns the chronologically earliest (oldest) seen occurrence of a value in a field.
	`earliest_time(<value>)`	Returns the UNIX time of the earliest (oldest) occurrence of a value of the field. Used in conjunction with the `earliest`, `latest`, and `latest_time` functions to calculate the rate of increase for an accumulating counter.
	`latest(<value>)`	Returns the chronologically latest (most recent) seen occurrence of a value in a field.
	`latest_time(<value>)`	Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with the `earliest`, `earliest_time`, and `latest` functions to calculate the rate of increase for an accumulating counter.
	`per_day(<value>)`	Returns the values in a field or eval expression for each day.
	`per_hour(<value>)`	Returns the values in a field or eval expression for each hour.
	`per_minute(<value>)`	Returns the values in a field or eval expression for each minute.
	`per_second(<value>)`	Returns the values in a field or eval expression for each second.
	`rate(<value>)`	Returns the per-second rate change of the value of the field. Represents `(latest - earliest) / (latest_time - earliest_time)` Requires the `earliest` and `latest` values of the field to be numerical, and the `earliest_time` and `latest_time` values to be different.
	`rate_avg(<value>)`	Returns the average rates for the time series associated with a specified accumulating counter metric.
	`rate_sum(<value>)`	Returns the summed rates for the time series associated with a specified accumulating counter metric.

Alphabetical list of functions

The following table is a quick reference of the supported statistical and charting functions, organized alphabetically. This table provides a brief description for each function. Use the links in the table to learn more about each function and to see examples.

Supported functions and syntax	Description	Type of function
`avg(<value>)`	Returns the average of the values in the field specified.	Aggregate functions
`count(<value>)`	Returns the number of occurrences where the field that you specify contains any value (is not empty. You can also count the occurrences of a specific value in the field by using the `eval` command with the `count` function. For example: `count eval(field_name="value")`.	Aggregate functions
`distinct_count(<value)`	Returns the count of distinct values in the field specified.	Aggregate functions
`earliest(<value>)`	Returns the chronologically earliest (oldest) seen occurrence of a value in the field specified.	Time functions
`earliest_time(<value>)`	Returns the UNIX time of the earliest (oldest) occurrence of a value in the field specified. Used in conjunction with the `earliest`, `latest`, and `latest_time` functions to calculate the rate of increase for an accumulating counter.	Time functions
`estdc(<value>)`	Returns the estimated count of the distinct values in the field specified.	Aggregate functions
`estdc_error(<value>)`	Returns the theoretical error of the estimated count of the distinct values in the field specified. The error represents a ratio of the `absolute_value(estimate_distinct_count - real_distinct_count)/real_distinct_count`.	Aggregate functions
`exactperc<percentile>(<value>)`	Returns a percentile value for the numeric field specified. Provides the exact value, but is very resource expensive for high cardinality fields. An alternative is `perc`.	Aggregate functions
`first(<value>)`	Returns the first seen value in a field. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command.	Event order functions
`last(<value>)`	Returns the last seen value in a field. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command.	Event order functions
`latest(<value>)`	Returns the chronologically latest (most recent) seen occurrence of a value in a field.	Time functions
`latest_time(<value>)`	Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with the `earliest`, `earliest_time`, and `latest` functions to calculate the rate of increase for an accumulating counter.	Time functions
`list(<value>)`	Returns a list of up to 100 values in a field as a multivalue entry. The order of the values reflects the order of input events.	Multivalue stats and chart functions
`max(<value>)`	Returns the maximum value in the field specified. If the field values are non-numeric, the maximum value is found using lexicographical ordering. This function processes field values as numbers if possible, otherwise processes field values as strings.	Aggregate functions
`mean(<value>)`	Returns the arithmetic mean of the values in the field specified.	Aggregate functions
`median(<value>)`	Returns the middle-most value of the values in the field specified.	Aggregate functions
`min(<value>)`	Returns the minimum value in the field specified. If the field values are non-numeric, the minimum value is found using lexicographical ordering.	Aggregate functions
`mode(<value>)`	Returns the most frequent value in the field specified.	Aggregate functions
`perc<percentile>(<value>)`	Returns the N-th percentile value of all the values in the numeric field specified. Valid field values are integers from 1 to 99. Additional percentile functions are `upperperc` and `exactperc`.	Aggregate functions
`per_day(<value>)`	Returns the values in a field or eval expression for each day.	Time functions
`per_hour(<value>)`	Returns the values in a field or eval expression for each hour.	Time functions
`per_minute(<value>)`	Returns the values in a field or eval expression for each minute.	Time functions
`per_second(<value>)`	Returns the values in a field or eval expression for each second.	Time functions
`range(<value>)`	If the field values are numeric, returns the difference between the maximum and minimum values in the field specified.	Aggregate functions
`rate(<value>)`	Returns the per-second rate change of the value of the field. Represents `(latest - earliest) / (latest_time - earliest_time)` Requires the `earliest` and `latest` values of the field to be numerical, and the `earliest_time` and `latest_time` values to be different.	Time functions
`rate_avg(<value>)`	Returns the average rates for the time series associated with a specified accumulating counter metric.	Time functions
`rate_sum(<value>)`	Returns the summed rates for the time series associated with a specified accumulating counter metric.	Time functions
`stdev(<value>)`	Returns the sample standard deviation of the values in the field specified.	Aggregate functions
`stdevp(<value>)`	Returns the population standard deviation of the values in the field specified.	Aggregate functions
`sum(<value>)`	Returns the sum of the values in the field specified.	Aggregate functions
`sumsq(<value>)`	Returns the sum of the squares of the values in the field specified.	Aggregate functions
`upperperc<percentile>(<value>)`	Returns an approximate percentile value, based on the requested percentile of the numeric field. When there are more than 1000 values, the upperperc function gives the approximate upper bound for the percentile requested. Otherwise the upperperc function returns the same percentile as the `perc` function.	Aggregate functions
`values(<value>)`	Returns the list of all distinct values in a field as a multivalue entry. The order of the values is lexicographical.	Multivalue stats and chart functions
`var(<value>)`	Returns the sample variance of the values in the field specified.	Aggregate functions
`varp(<value>)`	Returns the population variance of the values in the field specified.	Aggregate functions

Answers

Have questions? Visit Splunk Answers and search for a specific function or command.

Statistical and charting functions - Splunk Documentation (2024)

FAQs

What is the stats function in Splunk? ›

The SPL2 stats command calculates aggregate statistics, such as average, count, and sum, over the incoming search results set. This is similar to SQL aggregation. If the stats command is used without a BY clause, only one row is returned, which is the aggregation over the entire incoming result set.

Learn More ›

What is the difference between stats and chart command in Splunk? ›

In Summary

Use the stats command when you want to specify 3 or more fields in the BY clause. Use the chart command when you want to create results tables that show consolidated and summarized calculations. Use the chart command to create visualizations from the results table data.

Keep Reading ›

What are the different types of charts in Splunk? ›

Line charts: Display data in a plot with data points connected by a series of straight lines. Area charts: Display in a plot similar to a line chart, except that the area below the line is filled. Column charts: Also known as bar charts.

Discover More Details ›

What is the difference between Tstats and stats command in Splunk? ›

tstats is faster than stats since tstats only looks at the indexed metadata (the . tsidx files in the buckets on the indexers) whereas stats is working off the data (in this case the raw events) before that command. Since tstats can only look at the indexed metadata it can only search fields that are in the metadata.

Find Out More ›

What are statistics functions? ›

Statistical functions are functions that perform mathematical and statistical operations and are some of the most common functions used in spreadsheets. Statistical functions are functions that perform mathematical and statistical operations and are some of the most common functions used in spreadsheets.

Learn More ›

What is the difference between stats and eval in Splunk? ›

stats operates on the whole set of events returned from the base search, and in your case you want to extract a single value from that set. eval creates a new field for all events returned in the search. Creating a new field called 'mostrecent' for all events is probably not what you intended.

Discover More ›

What are the 4 types of searches in Splunk by performance? ›

How search types affect Splunk Enterprise performance

Search type	Ref. indexer throughput	Performance impact
Dense	Up to 50,000 matching events per second.	CPU-bound
Sparse	Up to 5,000 matching events per second.	CPU-bound
Super-sparse	Up to 2 seconds per index bucket.	I/O bound
Rare	From 10 to 50 index buckets per second.	I/O bound

Explore More ›

What are the 4 most commonly used types of chart? ›

The four most common are probably line graphs, bar graphs and histograms, pie charts, and Cartesian graphs. They are generally used for, and are best for, quite different things. You would use: Bar graphs to show numbers that are independent of each other.

Learn More Now ›

What are 3 main types of charts used to explain data? ›

There are many types and designs of charts. Each type of chart has specific strengths and weaknesses that make them best suited for particular purposes and data sets. Some of the most well-known and commonly-used charts include pie charts, bar charts, and flow charts.

Get More Info ›

What is the difference between stats and transaction commands in Splunk? ›

Stats provides the aggregation. transaction provides the unique number / count. Like you perform 10 steps as part of one transaction.

Read On ›

What is the difference between stats eventstats and streamstats in Splunk? ›

Eventstats calculates a statistical result same as stats command only difference is it does not create statistical results, it aggregates them to the original raw data. Streamstats command uses events before the current event to compute the aggregate statistics that are applied to each event.

See Details ›

What are the limitations of Tstats? ›

Tstats is limited to indexed fields and data models. That means additional work may be required to create the fastest searches for your data. Acceleration isn't great for data sources with dynamic lookups that change often.

Get More Info Here ›

What is stats used for? ›

Statistics is used in many sectors such as psychology, geology, sociology, weather forecasting, probability and much more. The goal of statistics is to gain understanding from the data, it focuses on applications, and hence, it is distinctively considered as a mathematical science.

What is the stat command used for? ›

The stat command prints details about files and file systems. The tool provides information on who the owner is, modification dates, access permission, size, type, etc.

What is the stats mode function? ›

The mode in statistics refers to a number in a set of numbers that appears the most often. For example, if a set of numbers contained the following digits, 1, 1, 3, 5, 6, 6, 7, 7, 7, 8, the mode would be 7, as it appears the most out of all the numbers in the set.