topic Re: Bell Curve Average Duration times in Splunk Search

Bell Curve Average Duration times

dreamwork801 — Mon, 14 Jul 2014 15:56:54 GMT

So I am trying to get an average duration time for request.
Currently I am using this request with gets the top 5 percent, and bottom 5 percent of times and removes them with the idea that they are outliers. I realized that this may not always be accurate if the top 5 or bottom 5 percent are actually close to the mean and not outliers. So how would I change this search to remove anything that is 3 standard deviations away from the mean?

Re: Bell Curve Average Duration times

somesoni2 — Mon, 14 Jul 2014 16:12:19 GMT

Something like this?

"Data.PlatformTeam" = "payments" | eventstats mean(Duration) as mean, stdev(Duration) as stdev by Name| where abs(mean-stdev)< 3 | stats avg(Duration) as Average, count as Frequency by Name | sort -Average

Re: Bell Curve Average Duration times

emiller42 — Mon, 14 Jul 2014 17:15:13 GMT

This will do it.

"Data.PlatformTeam"="payments"  | eventstats avg(duration) as avg stdev(duration) as stdev by Name |  where abs(duration-avg) < stdev*3 | stats avg(duration) as Average, count as Frequency by Name | sort -Average

Re: Bell Curve Average Duration times

dreamwork801 — Mon, 14 Jul 2014 20:48:28 GMT

This is exactly what I was looking for. Thank you