Compatibility Quick Reference for SPL2 statistical functions

Quick reference table showing which SPL2 statistical functions are supported for each SPL2 profile.

An SPL2 profile maps to a set of SPL2 commands and functions that are used by a given product. See SPL2 compatibility profiles.

The following table shows which SPL2 statistical functions are supported for each product profile:

Supported functions and syntax Description splunkd1
profile		 edgeProcessor profile ingestProcessor profile
avg(value) Returns the average of the values in a field. Yes    
count(value) Returns the number of occurrences in a field. Yes Yes Yes
dataset() Aggregates events into arrays of SPL2 field-value objects. Yes    
distinct_count(value) Returns a count of the distinct values in a field. Yes    
earliest(value) Returns the chronologically earliest seen occurrence of a value in a field. Yes    
earliest_time(value) Returns the UNIX time of the earliest occurrence of a value of the field. Yes    
estdc(value) Returns an estimated count of the distinct values in a field. Yes    
estdc_error(value) Returns the theoretical error of the estimated count of the distinct values in a field. Yes    
first(value) Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the stats command. Yes    
last(value) Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the stats command. Yes    
latest(value) Returns the chronologically latest seen occurrence of a value in a field. Yes    
latest_time(value) Returns the UNIX time of the latest occurrence of a value in a field. Yes    
list(value) Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events. Yes    
max(value) Returns the maximum value in a field. Yes Yes Yes
mean(value) Returns the arithmetic mean of the values in a field. Yes    
median(value) Returns the middle-most value in a field. Yes    
min(value) Returns the minimum value in a field. Yes Yes Yes
mode(value) Returns the most frequent value in a field. Yes    
perc(value,percentile) Returns the nth percentile of the values in a numeric field. There are three percentile functions: exactperc, perc, and upperperc(). Yes    
per_day(value) Returns the values in a field or eval expression for each day. Yes    
per_hour(value) Returns the values in a field or eval expression for each hour. Yes    
per_minute(value) Returns the values in a field or eval expression for each minute. Yes    
per_second(value) Returns the values in a field or eval expression for each second. Yes    
pivot(key,value) Aggregates the values in a field and returns the results as an object. Yes    
range(value) Returns the difference between the maximum and minimum values in a field. Yes    
rate(value) Returns the per-second rate change of the value of the field. Yes    
span(time,span-length) Groups search results by the timespan you specify. Yes Yes Yes
sparkline(aggregate-function(value),span-length) Produces time-based trendline charts in the search results. Yes    
stdev(value) Returns the sample standard deviation of the values in a field. Yes    
stdevp(value) Returns the population standard deviation of the values in a field. Yes    
sum(value) Returns the sum of the values in a field. Yes Yes Yes
sumsq(value) Returns the sum of the squares of the values in a field. Yes    
var(value) Returns the sample variance of the values in a field. Yes    
varp(value) Returns the population variance of the values in a field. Yes    
values(value) Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical. Yes    

1The splunkd profile is currently used by Splunk platform SPL2-based app development and the Search tab of the Data Management experience.

See also

Additional compatibility information

Edge Processor information

Ingest Processor information

SPL2 information