topic Re: Can splunk do stats multimode(field)? in Splunk Search

Can splunk do stats multimode(field)?

lpolo — Wed, 22 Feb 2012 19:00:02 GMT

Splunk support the statistical function "mode(X)". According to the Splunk documentation this function returns the most frequent value of field X.
I was able to experience that Splunk reports the correct mode from a set of numbers that are unique.

Is there an undocumented stats command or query that reports the multimode from a set of numbers that are not unique.

Example:
The mode of the set [1, 3, 3, 3, 3, 3, 7, 7, 12, 12, 17] is 3. The mode of set [3, 3, 6, 7, 7, 89, 89] is 89, 7, and 3 "Multimodal".

Thanks,
Lp

Re: Can splunk do stats multimode(field)?

bwooden — Wed, 22 Feb 2012 22:06:52 GMT

I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:

... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode

Re: Can splunk do stats multimode(field)?

lpolo — Wed, 29 Feb 2012 12:35:19 GMT

Thanks.
I will test it and let you know.

Re: Can splunk do stats multimode(field)?

lpolo — Fri, 01 Jun 2012 11:21:58 GMT

I tested it seems to do the work.