Splunk Cloud Platform

Splunk Cloud Platform Splunk Enterprise Data Management Splunk Observability Cloud Splunk IT Service Intelligence AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings Release Notes and Updates Supported Add-ons Splunk Style Guide

Splunk Cloud Platform Splunk Enterprise Data Management Splunk Observability Cloud Splunk IT Service Intelligence AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings Release Notes and Updates Supported Add-ons Splunk Style Guide

Splunk Cloud Platform

Splunk Cloud Platform Contents

Get Started

Administer

Search

SPL2 Search Reference

Statistical and Charting Functions

Quick Reference for SPL2 stats and charting functions

Manage Knowledge Objects

Leverage REST APIs

Release Notes

Analytics and Insights

Create Dashboards and Reports

Alert and Respond

Apply Machine Learning

Data Sources

Get Data In

Ingest Data from Cloud Services

Forward and Process Data

Process Data at the Edge

Process Data at Ingest Time

Collect Stream Data

Connect Relational Databases

Common Information Model

InfoSec App for Splunk

OT Intelligence

Using Splunk Mobile

REST API Reference

SPL Search Reference

Splunk Validated Architectures

Developing Views and Apps for Splunk Web

MCP Server for Splunk Platform

Quick Reference for SPL2 stats and charting functions

There are 2 ways to find information about the supported statistical and charting functions:

Function list by category
Alphabetical list of functions

Function list by category

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the Type of function column for more details and examples.


Type of function	Supported functions and syntax	Description
Aggregate functions	`avg(value)`	Returns the average of the values in a field.
	`count(value)`	Returns the number of occurrences in a field.
	`distinct_count(value)`	Returns a count of the distinct values in a field.
	`estdc(value)`	Returns an estimated count of the distinct values in a field.
	`estdc_error(value)`	Returns the theoretical error of the estimated count of the distinct values in a field.
	`max(value)`	Returns the maximum value in a field.
	`mean(value)`	Returns the arithmetic mean of the values in a field.
	`median(value)`	Returns the middle-most value in a field.
	`min(value)`	Returns the minimum value in a field.
	`mode(value)`	Returns the most frequent value in a field.
	`perc(value,percentile)`	Returns the nth percentile of the values in a numeric field. There are 3 percentile functions: `exactperc`, `perc`, and `upperperc()`.
	`range(value)`	Returns the difference between the maximum and minimum values in a field.
	`stdev(value)`	Returns the sample standard deviation of the values in a field.
	`stdevp(value)`	Returns the population standard deviation of the values in a field.
	`sum(value)`	Returns the sum of the values in a field.
	`sumsq(value)`	Returns the sum of the squares of the values in a field.
	`var(value)`	Returns the sample variance of the values in a field.
	`varp(value)`	Returns the population variance of the values in a field.
Event order functions	`first(value)`	Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the stats command.
Event order functions	`last(value)`	Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the stats command.
Multivalue and array functions	`dataset()`	Aggregates events into arrays of SPL2 field-value objects.
	`list(value)`	Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events.
	`pivot(key,value)`	Aggregates the values in a field and returns the results as an object.
	`values(value)`	Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical.
Time functions	`earliest(value)`	Returns the chronologically earliest seen occurrence of a value in a field.
	`earliest_time(value)`	Returns the UNIX time of the earliest occurrence of a value in a field.
	`latest(value)`	Returns the chronologically latest seen occurrence of a value in a field.
	`latest_time(value)`	Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with `earliest`, `earliest_time`, and `latest` to calculate the rate of increase for an accumulating counter.
	`per_day(value)`	Returns the values in a field or eval expression for each day.
	`per_hour(value)`	Returns the values in a field or eval expression for each hour.
	`per_minute(value)`	Returns the values in a field or eval expression for each minute.
	`per_second(value)`	Returns the values in a field or eval expression for each second.
	`rate(value)`	Returns the per-second rate change of the value of the field. Represents `(latest - earliest) / (latest_time - earliest_time)` Requires the `earliest` and `latest` values of the field to be numerical, and the `earliest_time` and `latest_time` values to be different.
	`span(time,span-length)`	Groups search results by the timespan you specify.
	`sparkline(aggregate-function(value),span-length)`	Produces time-based trendline charts in the search results.

Alphabetical list of functions

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links for more details and examples.


Supported functions and syntax	Description	Type of function
`avg(value)`	Returns the average of the values in a field.	Aggregate functions
`count(value)`	Returns the number of occurrences in a field.	Aggregate functions
`dataset()`	Aggregates events into arrays of SPL2 field-value objects.	Multivalue and array functions
`distinct_count(value)`	Returns a count of the distinct values in a field.	Aggregate functions
`earliest(value)`	Returns the chronologically earliest seen occurrence of a value in a field.	Time functions
`earliest_time(value)`	Returns the UNIX time of the earliest occurrence of a value of the field.	Time functions
`estdc(value)`	Returns an estimated count of the distinct values in a field.	Aggregate functions
`estdc_error(value)`	Returns the theoretical error of the estimated count of the distinct values in a field.	Aggregate functions
`first(value)`	Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the stats command.	Event order functions
`last(value)`	Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the stats command.	Event order functions
`latest(value)`	Returns the chronologically latest seen occurrence of a value in a field.	Time functions
`latest_time(value)`	Returns the UNIX time of the latest occurrence of a value in a field.	Time functions
`list(value)`	Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events.	Multivalue and array functions
`max(value)`	Returns the maximum value in a field.	Aggregate functions
`mean(value)`	Returns the arithmetic mean of the values in a field.	Aggregate functions
`median(value)`	Returns the middle-most value in a field.	Aggregate functions
`min(value)`	Returns the minimum value in a field.	Aggregate functions
`mode(value)`	Returns the most frequent value in a field.	Aggregate functions
`percentile(value,percentile)`	Returns the nth percentile of the values in a numeric field. There are 3 percentile functions: `exactperc`, `percentile`, and `upperperc()`.	Aggregate functions
`per_day(value)`	Returns the values in a field or eval expression for each day.	Time functions
`per_hour(value)`	Returns the values in a field or eval expression for each hour.	Time functions
`per_minute(value)`	Returns the values in a field or eval expression for each minute.	Time functions
`per_second(value)`	Returns the values in a field or eval expression for each second.	Time functions
`pivot(key,value)`	Aggregates the values in a field and returns the results as an object.	Multivalue and array functions
`range(value)`	Returns the difference between the maximum and minimum values in a field.	Aggregate functions
`rate(value)`	Returns the per-second rate change of the value of the field. Represents `(latest - earliest) / (latest_time - earliest_time)` Requires the `earliest` and `latest` values of the field to be numerical, and the `earliest_time` and `latest_time` values to be different.	Time functions
`span(time,span-length)`	Groups search results by the timespan you specify.	Time functions
`sparkline(aggregate-function(value),span-length)`	Produces time-based trendline charts in the search results.	Time functions
`stdev(value)`	Returns the sample standard deviation of the values in a field.	Aggregate functions
`stdevp(value)`	Returns the population standard deviation of the values in a field.	Aggregate functions
`sum(value)`	Returns the sum of the values in a field.	Aggregate functions
`sumsq(value)`	Returns the sum of the squares of the values in a field.	Aggregate functions
`var(value)`	Returns the sample variance of the values in a field.	Aggregate functions
`varp(value)`	Returns the population variance of the values in a field.	Aggregate functions
`values(value)`	Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical.	Multivalue and array functions

See also

ON THIS PAGE

Function list by category
Alphabetical list of functions
See also

Last updated: January 16, 2026

Explore Topics

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Observability Cloud

Splunk IT Service Intelligence

AppDynamics SaaS

AppDynamics On-Premises

AppDynamics SAP Agent

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

Release Notes and Updates

Supported Add-ons

Splunk Style Guide

©2005-2025 Splunk Inc. All rights reserved.