Generate timechart with normalized/rescaled data p...

izx · ‎08-06-2020

Hello,

I'm trying to analyze an A/B test results on access pattern changes for a specific field.

Simplified query looks like:

index=test-app (ab_test_id="baseline" OR ab_test_id="ab123")
| timechart count(eval(ab_test_id=="baseline")) as Baseline count(eval(ab_test_id=="abc123")) as Test by api_endpoint

Since the event counts diff by ~100x, it will be better to re-scale the data either like the following min-max normalization, or just a percentage of each API endpoint, e.g. api_xyz may account for 20% in baseline, but receives 50% in the A/B test (ab123).

https://community.splunk.com/t5/Archive/Normalizing-feature-scaling-a-datapoint/td-p/194303

I used to have a concat field on the timechart, like

index=test-app (ab_test_id="baseline" OR ab_test_id="abc123")
| eval endpoint_by_ab=mvzip(api_endpoint, ab_test_id, "_")
| timechart count by endpoint_by_ab
| addtotals row=true fieldname=_total_baseline *_baseline
| addtotals row=true fieldname=_total_ab *_abc123
| foreach *_baseline [eval <<FIELD>> = round('<<FIELD>>' * 100 / _total_baseline)]
| foreach *_abc123 [eval <<FIELD>> = round('<<FIELD>>' * 100 / _total_ab)]

It will be great to use the original api_endpoint to leverage the trellis layout to compare baseline with A/B for each api_endpoint, how should I do that?

Thanks,

Generate timechart with normalized/rescaled data points

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation