I have a continuous stream of response times for a given service. A fraction of these responses can be very high due to various reasons. I would like to omit such occurrences (assuming that these are 2%) and calculate the average response time. Can this be achieved in a simple manner ? Example illustrated below:
ServiceResponse Time (98% of the time)
A ---> 3.5 ms ( assuming values - 2,2,2,2,2,2,2,10 - needs to omit 10)
B ---> 4 ms ( assuming values - 4,4,4,4,4,5, 7,11 - needs to omit 11)
You can tweak acceptable parameters based on standard deviation or other stats. The below search will calculate the standard deviation of a and the existing average of a. Next we will make a null IF the value of a + standard deviation is greater than the average of a + standard deviation. Finally we filter out null values and return the average of what remains...
... | eventstats stdev(a) as stdev_a avg(a) as avg_a | eval a=if(a+stdev_a < avg_a+stdev_a, a, null()) | where isnotnull(a) | stats avg(a)