https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437441#M171560 <P>Hi @zacksoft - Yes the list is limited to 100 values - <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Multivaluefunctions">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Multivaluefunctions</A></P> <P>I honestly, did not think from the examples that you had provided that in any specific case your list of values will exceed 100 .<BR /> What is/could be the maximum number of values in your case?</P> Fri, 03 May 2019 16:09:42 GMT Sukisen1981 2019-05-03T16:09:42Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437436#M171555 <PRE><CODE>host = Mayhem sourcetype="phutans:servo" host=R00878 | eval headers=split(_raw," ") | eval plant_length=mvindex(headers,10) | sort 0 plant_length </CODE></PRE> <P>(I am trying to calculate mean plant_lenght here but in a different way)</P> <P>Let me put it as example :<BR /> say we get 10 values of plant_length. 1, 2, 2, 3, 4, 4, 4, 5, 20<BR /> Ideally to get mean, we would do (1+2+2+3+4+4+4++5+20)/10<BR /> But I don't want it this way. What I am looking for is to drop 10% of data in each tail and divide by number of values left.</P> <P>Like this : (2+2+3+4+4+4++5)/8<BR /> In the numerator here the bottom 10% data (1) and top 10% of data(20) is dropped , so we have 8 vales left, hence the denominator is 8. </P> <P>(In the above example as we have 10 values so 10% of 10 becomes 1. Therefore 1 value is dropped from top end and 1 value from bottom end.) And after dropping 2 values the denominator has to be 8 , not 10)</P> <P>I could use some help in implementing the above scenario.</P> Thu, 02 May 2019 14:48:01 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437436#M171555 zacksoft 2019-05-02T14:48:01Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437437#M171556 <P>Try this - <CODE>index="_audit" <BR /> | stats values(available_count)<BR /> | rename values(available_count) as x<BR /> | eval perc=0.1*mvcount(x)<BR /> | mvexpand x<BR /> | eventstats count(x) as maxcount<BR /> | streamstats count as row<BR /> | where row&gt;perc<BR /> | eval z=maxcount-row<BR /> | where z&gt;perc|reverse</CODE></P> <P>I have bulit out this on action_count on the _audit index, so the code works as is for you. Now I have renamed action_count as x and removed the top and bottom 10% values, the left over values of x is what you need to use to form your average.<BR /> WARNING - Run this for last 7 days to have a large data set AND the values keep updating real time so look at maxcount and perc. macount is your total at any point in time and perc is what you need to trim from the bottom and top at any point of time..hope it helps </P> Wed, 30 Sep 2020 00:24:56 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437437#M171556 Sukisen1981 2020-09-30T00:24:56Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437438#M171557 <P>stats value(available_count) ...gives me the unique entries only.<BR /> if I have six values such as 2,2,3,3,4,4. It only shows 2,3,4</P> Fri, 03 May 2019 11:44:51 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437438#M171557 zacksoft 2019-05-03T11:44:51Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437439#M171558 <P>hi you need to replace vlaues with list if you want non-unique values as well</P> <PRE><CODE>index="_audit" | stats list(available_count) | rename list(available_count) as x | eval perc=0.1*mvcount(x) | mvexpand x | eventstats count(x) as maxcount | streamstats count as row | where row&gt;perc | eval z=maxcount-row | where z&gt;perc|reverse </CODE></PRE> Fri, 03 May 2019 12:41:17 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437439#M171558 Sukisen1981 2019-05-03T12:41:17Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437440#M171559 <P>The 'list' only returns 100 values. Is there anyway to override that to see all the values?</P> Fri, 03 May 2019 14:52:07 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437440#M171559 zacksoft 2019-05-03T14:52:07Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437441#M171560 <P>Hi @zacksoft - Yes the list is limited to 100 values - <A href="https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Multivaluefunctions">https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Multivaluefunctions</A></P> <P>I honestly, did not think from the examples that you had provided that in any specific case your list of values will exceed 100 .<BR /> What is/could be the maximum number of values in your case?</P> Fri, 03 May 2019 16:09:42 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437441#M171560 Sukisen1981 2019-05-03T16:09:42Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437442#M171561 <P>Try this - this should account for all values , not just the list limit of 100</P> <PRE><CODE>index="_audit" | table available_count,_time | where isnotnull(available_count) | rename available_count as x | eventstats count(x) as maxcount | eval perc=0.1*maxcount | streamstats count as row | where row&gt;perc | eval z=maxcount-row | where z&gt;perc|reverse </CODE></PRE> Fri, 03 May 2019 16:23:32 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437442#M171561 Sukisen1981 2019-05-03T16:23:32Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437443#M171562 <P>@Sukisen1981 Thank you for so patiently assisting with this issue. Really appreciate it. <BR /> This is exactly what I wanted.<BR /> If I may add one small thing...."what if instead of dropping the tail 10 % of data, I choose to replace them with the next available data.<BR /> e.g. 1, 2, 2, 3, 4, 4, 4, 5, 20<BR /><BR /> The 10 % on each side is, 1 and 20.<BR /> So the updated data set to become 2, 2, 2, 3, 4, 4, 4, 5, 5. (I just replaced the each extreme 10 % with the nearest value). Could you please guide how to achieve this. Thank you.</P> Mon, 06 May 2019 10:47:00 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437443#M171562 zacksoft 2019-05-06T10:47:00Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437444#M171563 <P>Hi @zacksoft - this looks a bit tough, I suggest asking a separate question on this in the forum. Meanwhile, I will try to find a solution,many apologies but office work calls <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Mon, 06 May 2019 15:34:45 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437444#M171563 Sukisen1981 2019-05-06T15:34:45Z https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437445#M171564 <P>Sure @Sukisen1981 . If you get time.<BR /> Following is the link of the new question.<BR /> <A href="https://answers.splunk.com/answers/744080/winsorized-average-calculation.html?minQuestionBodyLength=80">https://answers.splunk.com/answers/744080/winsorized-average-calculation.html?minQuestionBodyLength=80</A></P> Tue, 07 May 2019 14:31:05 GMT https://community.splunk.com/t5/Splunk-Search/Trimmed-Average-Calculation/m-p/437445#M171564 zacksoft 2019-05-07T14:31:05Z