Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Keeping highest 99% of values for each field value

jrnastase
Explorer
‎07-24-2017 01:56 PM

Hello all. I have calculated measures of a given statistic for a variety of values for the field "Link", and I need to keep the top 99% of values for each Link, and then find the average/minimum of what is left over. Any idea how to do that?

I tried sorting, then dedup X Link to return the top X values, but the problem is each link has a different number of points. Any help would be greatly appreciated!

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎07-24-2017 03:47 PM

Yes, you've got it precisely. It's not possible to eliminate the bottom 1% without passing the file, so eventstats is required. Then you have to pass the file again to get the new average.

In other contexts, you can look at outlier for a one-step cleaning command that defaults to get move inward everything that is outside of 2.5x the interquartile range.

Reply

jrnastase
Explorer
‎07-24-2017 03:06 PM

Not sure if the most efficient solution but here's what I have so far that seems to work...

| eventstats perc01(statistic) as statistic_01p BY Field
| where statistic >= statistic_01p
| stats avg(statistic), min(statistic) BY Field

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...