Splunk Enterprise

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Release Notes and Updates Supported Add-ons

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Release Notes and Updates Supported Add-ons

Splunk Enterprise

Splunk Enterprise Contents

Get Started

Administer

Search

SPL2 Search Reference

Statistical and Charting Functions

Quick Reference for SPL2 Stats and Charting Functions

Manage Knowledge Objects

Leverage REST APIs

Release Notes and Updates

Analytics and Insights

Create Dashboards and Reports

Alert and Respond

Apply Machine Learning

Data Sources

Get Data In

Forward and Process Data

Process Data at the Edge

Connect Relational Databases

Collect Stream Data

Common Information Model

InfoSec App for Splunk

Splunk Edge Hub OS

Splunk OT Intelligence

Splunk Edge Hub Mobile App

Splunk Mobile for Android

Splunk Mobile for iOS

REST API Reference

SPL Search Reference

Splunk Validated Architectures

Developing Views and Apps for Splunk Web

Translated Documentation

MCP Server for Splunk Platform

Quick Reference for SPL2 Stats and Charting Functions

There are two ways to find information about the supported statistical and charting functions:

Function list by category
Alphabetical list of functions

Function list by category

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the Type of function column for more details and examples.


Type of function	Supported functions and syntax	Description
Aggregate functions	`avg(<value>)`	Returns the average of the values in a field.
	`count(<value>)`	Returns the number of occurrences in a field.
	`distinct_count(<value>)`	Returns a count of the distinct values in a field.
	`estdc(<value>)`	Returns an estimated count of the distinct values in a field.
	`estdc_error(<value>)`	Returns the theoretical error of the estimated count of the distinct values in a field.
	`max(<value>)`	Returns the maximum value in a field.
	`mean(<value>)`	Returns the arithmetic mean of the values in a field.
	`median(<value>)`	Returns the middle-most value in a field.
	`min(<value>)`	Returns the minimum value in a field.
	`mode(<value>)`	Returns the most frequent value in a field.
	`perc(<value>,<percentile>)`	Returns the nth percentile of the values in a numeric field. There are three percentile functions: `exactperc`, `perc`, and `upperperc()`.
	`range(<value>)`	Returns the difference between the maximum and minimum values in a field.
	`stdev(<value>)`	Returns the sample standard deviation of the values in a field.
	`stdevp(<value>)`	Returns the population standard deviation of the values in a field.
	`sum(<value>)`	Returns the sum of the values in a field.
	`sumsq(<value>)`	Returns the sum of the squares of the values in a field.
	`var(<value>)`	Returns the sample variance of the values in a field.
	`varp(<value>)`	Returns the population variance of the values in a field.
Event order functions	`first(<value>)`	Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the `stats` command.
Event order functions	`last(<value>)`	Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the `stats` command.
Multivalue and array functions	`dataset()`	Aggregates events into arrays of SPL2 field-value objects.
	`list(<value>)`	Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events.
	`pivot(<key>,<value>)`	Aggregates the values in a field and returns the results as an object.
	`values(<value>)`	Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical.
Time functions	`earliest(<value>)`	Returns the chronologically earliest seen occurrence of a value in a field.
	`earliest_time(<value>)`	Returns the UNIX time of the earliest occurrence of a value in a field.
	`latest(<value>)`	Returns the chronologically latest seen occurrence of a value in a field.
	`latest_time(<value>)`	Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with `earliest`, `earliest_time`, and `latest` to calculate the rate of increase for an accumulating counter.
	`per_day(<value>)`	Returns the values in a field or eval expression for each day.
	`per_hour(<value>)`	Returns the values in a field or eval expression for each hour.
	`per_minute(<value>)`	Returns the values in a field or eval expression for each minute.
	`per_second(<value>)`	Returns the values in a field or eval expression for each second.
	`rate(<value>)`	Returns the per-second rate change of the value of the field. Represents `(latest - earliest) / (latest_time - earliest_time)` Requires the `earliest` and `latest` values of the field to be numerical, and the `earliest_time` and `latest_time` values to be different.
	`span(<time>,<span-length>)`	Groups search results by the timespan you specify.
	`sparkline(<aggregate-function>(<value>),<span-length>)`	Produces time-based trendline charts in the search results.

Alphabetical list of functions

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links for more details and examples.


Supported functions and syntax	Description	Type of function
`avg(<value>)`	Returns the average of the values in a field.	Aggregate functions
`count(<value>)`	Returns the number of occurrences in a field.	Aggregate functions
`dataset()`	Aggregates events into arrays of SPL2 field-value objects.	Multivalue and array functions
`distinct_count(<value>)`	Returns a count of the distinct values in a field.	Aggregate functions
`earliest(<value>)`	Returns the chronologically earliest seen occurrence of a value in a field.	Time functions
`earliest_time(<value>)`	Returns the UNIX time of the earliest occurrence of a value of the field.	Time functions
`estdc(<value>)`	Returns an estimated count of the distinct values in a field.	Aggregate functions
`estdc_error(<value>)`	Returns the theoretical error of the estimated count of the distinct values in a field.	Aggregate functions
`first(<value>)`	Returns the first seen value in a field. The first seen value is the most recent instance of this field, based on the order in which the events are seen by the `stats` command.	Event order functions
`last(<value)`	Returns the last seen value in a field. The last seen value is the oldest instance of this field, based on the order in which the events are seen by the `stats` command.	Event order functions
`latest(<value>)`	Returns the chronologically latest seen occurrence of a value in a field.	Time functions
`latest_time(<value>)`	Returns the UNIX time of the latest occurrence of a value in a field.	Time functions
`list(<value>)`	Returns a multivalue entry from the values in a field. The order of the values reflects the order of the events.	Multivalue and array functions
`max(<value>)`	Returns the maximum value in a field.	Aggregate functions
`mean(<value>)`	Returns the arithmetic mean of the values in a field.	Aggregate functions
`median(<value>)`	Returns the middle-most value in a field.	Aggregate functions
`min(<value>)`	Returns the minimum value in a field.	Aggregate functions
`mode(<value>)`	Returns the most frequent value in a field.	Aggregate functions
`percentile(<value>,<percentile>)`	Returns the nth percentile of the values in a numeric field. There are three percentile functions: `exactperc`, `percentile`, and `upperperc()`.	Aggregate functions
`per_day(<value>)`	Returns the values in a field or eval expression for each day.	Time functions
`per_hour(<value>)`	Returns the values in a field or eval expression for each hour.	Time functions
`per_minute(<value>)`	Returns the values in a field or eval expression for each minute.	Time functions
`per_second(<value>)`	Returns the values in a field or eval expression for each second.	Time functions
`pivot(<key>,<value>)`	Aggregates the values in a field and returns the results as an object.	Multivalue and array functions
`range(<value>)`	Returns the difference between the maximum and minimum values in a field.	Aggregate functions
`rate(<value>)`	Returns the per-second rate change of the value of the field. Represents `(latest - earliest) / (latest_time - earliest_time)` Requires the `earliest` and `latest` values of the field to be numerical, and the `earliest_time` and `latest_time` values to be different.	Time functions
`span(<time>,<span-length>)`	Groups search results by the timespan you specify.	Time functions
`sparkline(<aggregate-function>(<value>),<span-length>)`	Produces time-based trendline charts in the search results.	Time functions
`stdev(<value>)`	Returns the sample standard deviation of the values in a field.	Aggregate functions
`stdevp(<value>)`	Returns the population standard deviation of the values in a field.	Aggregate functions
`sum(<value>)`	Returns the sum of the values in a field.	Aggregate functions
`sumsq(<value>)`	Returns the sum of the squares of the values in a field.	Aggregate functions
`var(<value>)`	Returns the sample variance of the values in a field.	Aggregate functions
`varp(<value>)`	Returns the population variance of the values in a field.	Aggregate functions
`values(<value>)`	Returns a list of the distinct values in a field as a multivalue entry. The order of the values is lexicographical.	Multivalue and array functions

See also

ON THIS PAGE

Function list by category
Alphabetical list of functions
See also

Last updated: July 23, 2025

Explore Topics

Splunk Observability Cloud

Splunk IT Service Intelligence

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

AppDynamics SaaS

AppDynamics On-Premises

AppDynamics SAP Agent

Release Notes and Updates

Supported Add-ons

©2005-2025 Splunk Inc. All rights reserved.