https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53728#M13070 <P>You have at least three problems with your search:</P> <UL> <LI>When comparing two fields, you cannot use <CODE>search</CODE> - you must use <CODE>where</CODE>. <CODE>search</CODE> always assumes that the value to the right of the comparator is a string literal, whereas <CODE>where</CODE> will treat the right-hand side as a field.</LI> <LI>In your comparison, you are attempting to compare <CODE>lfence</CODE> and <CODE>ufence</CODE> to <CODE>bar</CODE> - however, <CODE>bar</CODE> is no longer a valid field in the result set after you invoke the <CODE>stats</CODE> command. Take a look at the tabular output of just the initial search and <CODE>stats</CODE> to see what I mean.</LI> <LI>You need to use an explicit <CODE>AND</CODE> in your <CODE>where</CODE> clause (as well as if you were using a <CODE>search</CODE> clause)</LI> </UL> <P>You probably want to do something like this:</P> <PRE><CODE>index=foo |eventstats p25(bar) as q1, p50(bar) as bmed, p75(bar) as q3 |eval irq=q3-q1 |eval lfence=q1-1.5*irq |eval ufence=q3+1.5*irq |where bar&gt;=lfence AND bar&lt;=ufence |stats min(bar) as lfence max(bar) as ufence values(q1) as q1 values(bmed) as bmed values(q3) as q3 values(irq) as irq </CODE></PRE> Fri, 18 May 2012 00:16:30 GMT araitz 2012-05-18T00:16:30Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53725#M13067 <P>I don't have any problem getting the Q1, Median, Q3, and IQR values using percX(), median and eval. What I'm having trouble with is separating the outliers from the rest of the data. I'm trying to do something like this:</P> <PRE><CODE>index=foo |stats p25(bar) as q1, p50(bar) as bmed, p75(bar) as q3 |eval irq=q3-q1 |eval lfence=q1-1.5*iqr |eval ufence=q3+1.5*iqr |search bar&gt;=lfence bar&lt;=ufence |stats min(bar) as lfence, max(bar) as ufence |table lfence,q1,bmed,q3,ufence,iqr </CODE></PRE> <P>However this returns no results. Does anyone know how I can get these values? I know outlier uses IQR to remove outliers, but if I used that first it would change the median, q1, q3 and iqr.</P> Wed, 16 May 2012 20:37:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53725#M13067 caffein 2012-05-16T20:37:37Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53726#M13068 <P>Perhaps you mean <CODE>| search bar&gt;=lfence ...</CODE> rather than <CODE>| select...</CODE></P> <P>Unless select is some brand new or custom search command I am unaware of, I think that is your problem.</P> Thu, 17 May 2012 22:03:32 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53726#M13068 araitz 2012-05-17T22:03:32Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53727#M13069 <P>I wish it were that simple, but that was just a typo. Changing select to search doesn't help at all, and I still get no results back. If I remove the last 3 lines I can get the q1,median,q3 and iqr though.</P> Thu, 17 May 2012 22:32:46 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53727#M13069 caffein 2012-05-17T22:32:46Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53728#M13070 <P>You have at least three problems with your search:</P> <UL> <LI>When comparing two fields, you cannot use <CODE>search</CODE> - you must use <CODE>where</CODE>. <CODE>search</CODE> always assumes that the value to the right of the comparator is a string literal, whereas <CODE>where</CODE> will treat the right-hand side as a field.</LI> <LI>In your comparison, you are attempting to compare <CODE>lfence</CODE> and <CODE>ufence</CODE> to <CODE>bar</CODE> - however, <CODE>bar</CODE> is no longer a valid field in the result set after you invoke the <CODE>stats</CODE> command. Take a look at the tabular output of just the initial search and <CODE>stats</CODE> to see what I mean.</LI> <LI>You need to use an explicit <CODE>AND</CODE> in your <CODE>where</CODE> clause (as well as if you were using a <CODE>search</CODE> clause)</LI> </UL> <P>You probably want to do something like this:</P> <PRE><CODE>index=foo |eventstats p25(bar) as q1, p50(bar) as bmed, p75(bar) as q3 |eval irq=q3-q1 |eval lfence=q1-1.5*irq |eval ufence=q3+1.5*irq |where bar&gt;=lfence AND bar&lt;=ufence |stats min(bar) as lfence max(bar) as ufence values(q1) as q1 values(bmed) as bmed values(q3) as q3 values(irq) as irq </CODE></PRE> Fri, 18 May 2012 00:16:30 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53728#M13070 araitz 2012-05-18T00:16:30Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53729#M13071 <P>You also have a typo - <CODE>irq</CODE> vs. <CODE>iqr</CODE>. See my answer below, I tested this on splunk's _internal index using "instantaneous_eps" rather than "bar".</P> Mon, 28 Sep 2020 11:50:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53729#M13071 araitz 2020-09-28T11:50:29Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53730#M13072 <P>YES! That did the trick. Thanks. I'm not that familiar with eventstats, and where, so I'll have to spend some time reading up on them.</P> Fri, 18 May 2012 00:48:53 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-box-and-whisker-plot-values/m-p/53730#M13072 caffein 2012-05-18T00:48:53Z