Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Efficiency of comparing against summary statistics

tlagatta_splunk
Splunk Employee
Splunk Employee
‎05-20-2014 04:16 PM

I have a table with attributes ProductName and TotalSales, and I would like to extract the rows which are in the top 50% of total sales. Naively, I would pipe this into search TotalSales>=median(TotalSales). However, since search doesn't support the median function, Splunk returns no events.

I can make this work via the following hack:

| eventstats median(TotalSales) as MTS | where TotalSales>=MTS | fields - MTS

I'm worried about the efficiency of this hack. If I omit the fields - MTS command, then the output is a table with attribute MTS, with the median value replicated across all rows. If I have only 20 products, then this isn't that big of a deal, but if I have 500,000 products, then this is an enormous amount of redundancy in memory.

My question: what is Splunk doing under the hood? That is,

  • is Splunk literally replicating the median value in memory dc(ProductName) of times, then deleting it once I remove the MTS field?
  • Or, is Splunk smart enough to use the median value just once, and only replicate it only if I insist on viewing the entire table with the MTS field?
0 Karma
Reply

lguinn2
Legend
‎05-20-2014 05:56 PM

That is not a hack; it is a valid approach. Here is an alternate approach, which I believe will be slower, not faster:

yoursearchhere
| eval MTS = [ yoursearchhere-again | stats median(TotalSales) as query ]
| where TotalSales >= MTS

But you can test and see...

Reply

lguinn2
Legend
‎05-22-2014 02:31 PM

That information is not published, and I don't think it is the sort of thing that Splunk will reveal. However, it does seem silly to replicate the number in memory; I would guess that it is optimized.

0 Karma
Reply

tlagatta_splunk
Splunk Employee
Splunk Employee
‎05-21-2014 12:18 AM

Thanks, Lisa! That's an interesting workaround. However, it doesn't quite answer my "under the hood" question.

Suppose that we have 500,000 products. I'd like to know whether Splunk is literally storing the median value 500,000 times during the piping (replicated across each product name), or whether the replication happens purely at the end of the pipeline (when the visual table is being generated).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...