Splunk Search

How do I write a Custom stat function

tincupchalice
Path Finder

I am not trying to write a custom search command from the docs I've read on that topic. I rather would like to write my own linear interpolation percentile functions to be called after stats rather than the splunk versions that are a light weight percentile calculator and typically will miscalculate the true percentile. Does anyone have their own stat function they have written or is there something in the search command docs I am missing?

1 Solution

dwaddle
SplunkTrust
SplunkTrust

If I understand your question correctly, you're looking to add new user-defined functions to the existing stats search command. Unfortunately, you can't directly do this today. The custom search command functionality is available, but you would wind up writing your own stats-like command -- call it mystats. Custom search commands give you a lot of extension flexibility, but in this example you'd have to re-implement as much of stats as was needed to make mystats work.

This came up recently in context of the eval command - http://splunk-base.splunk.com/answers/26399/can-eval-evaluate-cosines?page=1#26406 . This is another case where it could be worth your trouble to file an Enhancement Request on the subject.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

If I understand your question correctly, you're looking to add new user-defined functions to the existing stats search command. Unfortunately, you can't directly do this today. The custom search command functionality is available, but you would wind up writing your own stats-like command -- call it mystats. Custom search commands give you a lot of extension flexibility, but in this example you'd have to re-implement as much of stats as was needed to make mystats work.

This came up recently in context of the eval command - http://splunk-base.splunk.com/answers/26399/can-eval-evaluate-cosines?page=1#26406 . This is another case where it could be worth your trouble to file an Enhancement Request on the subject.

tincupchalice
Path Finder

So there is another thread we have going on addressing this issue. The first is that percentiles are being calculated with nearest rank method which is on the level of 8th grade math and for what we do, we need linear interpolation. Second is that it is currently incorrect when doing this as it is taking the next lower value than it should. 1,2,3 returns a median of 1 instead of 2, - 1,2,3,4 will return 2 instead of 2.5. I think we are going to do an ER for either new, more precise percentile functions or ask the existing functions to be corrected. I'm working on the custom search for now.

0 Karma

rajeshmeea21
Explorer

Did you able to solve this issue. I am also facing issues while calculating the percentile. I have changed the method to interpolated. But still results are incorrect. For eg when calculating over two values i am getting response time higher than 90th percentile.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...