Splunk Search

Average of Transactions for the top 50% of transactions

adityapavan18
Contributor

Hi,

I have data of transactions in logs.

using "duration" i can take the total duration of very transaction.And avg(duration) will give me the avg of all the transactions.

Now i need to calculate the average of only the top 50% best transaction on time.

i.e for example i have 100 transactions, I sort them according to duration(min to max), i need the average of the first 50 trasactions.

How can i achieve this?

Tags (3)
1 Solution

carasso
Splunk Employee
Splunk Employee

Here's how to do it.

1) calculate the median value for duration, using "eventstats", which puts the value onto every event/transation.

2) use "where" to filter out events/transactions that are below the median duration.

3) now calculate the average duration for the remaining events/transactions

Putting it all together:

"your transaction search" | eventstats median(duration) as threshold | where duration>= threshold | stats avg(duration)

View solution in original post

carasso
Splunk Employee
Splunk Employee

Here's how to do it.

1) calculate the median value for duration, using "eventstats", which puts the value onto every event/transation.

2) use "where" to filter out events/transactions that are below the median duration.

3) now calculate the average duration for the remaining events/transactions

Putting it all together:

"your transaction search" | eventstats median(duration) as threshold | where duration>= threshold | stats avg(duration)

View solution in original post

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.