See the Quick Reference for SPL2 Stats and Charting Functions for a list of the supported statistical functions, along with a brief description and the syntax for each function.

You can use the statistical and charting functions with the stats, eventstats, streamstats, and timechart commands.

In some of the examples for the statistical and charting functions you might see eval expressions.

Using an eval expression in a statistical or charting function is a shortcut for specifying an eval command that creates a field, followed by a stats command that references that field.

For example:

... | stats count(eval(status="404")) AS count_status BY sourcetype

Here's another example:

... | timechart eval(round(avg(cpu_seconds),2)) BY processor

... | stats func(eval(<expression>)) 

This eval <expression> syntax is equivalent to this command syntax:

... | eval temp_field = <expression> | stats func(temp_field)

... | eval temp_field = <expression> | stats func(temp_field)

• All functions that accept strings can accept either a literal string or a field name. 
• All functions that accept numbers can accept either literal numbers or any numeric field name.

Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.

The following functions process the field values as string literal values, even though the values are numbers.

For example, you use the distinct_count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.

The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, the values "1", "1.0", and "01" are processed as the same numeric value.