Splunk Search

How do I write a Custom stat function

tincupchalice
Path Finder

I am not trying to write a custom search command from the docs I've read on that topic. I rather would like to write my own linear interpolation percentile functions to be called after stats rather than the splunk versions that are a light weight percentile calculator and typically will miscalculate the true percentile. Does anyone have their own stat function they have written or is there something in the search command docs I am missing?

1 Solution

dwaddle
SplunkTrust
SplunkTrust

If I understand your question correctly, you're looking to add new user-defined functions to the existing stats search command. Unfortunately, you can't directly do this today. The custom search command functionality is available, but you would wind up writing your own stats-like command -- call it mystats. Custom search commands give you a lot of extension flexibility, but in this example you'd have to re-implement as much of stats as was needed to make mystats work.

This came up recently in context of the eval command - http://splunk-base.splunk.com/answers/26399/can-eval-evaluate-cosines?page=1#26406 . This is another case where it could be worth your trouble to file an Enhancement Request on the subject.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

If I understand your question correctly, you're looking to add new user-defined functions to the existing stats search command. Unfortunately, you can't directly do this today. The custom search command functionality is available, but you would wind up writing your own stats-like command -- call it mystats. Custom search commands give you a lot of extension flexibility, but in this example you'd have to re-implement as much of stats as was needed to make mystats work.

This came up recently in context of the eval command - http://splunk-base.splunk.com/answers/26399/can-eval-evaluate-cosines?page=1#26406 . This is another case where it could be worth your trouble to file an Enhancement Request on the subject.

tincupchalice
Path Finder

So there is another thread we have going on addressing this issue. The first is that percentiles are being calculated with nearest rank method which is on the level of 8th grade math and for what we do, we need linear interpolation. Second is that it is currently incorrect when doing this as it is taking the next lower value than it should. 1,2,3 returns a median of 1 instead of 2, - 1,2,3,4 will return 2 instead of 2.5. I think we are going to do an ER for either new, more precise percentile functions or ask the existing functions to be corrected. I'm working on the custom search for now.

0 Karma

rajeshmeea21
Explorer

Did you able to solve this issue. I am also facing issues while calculating the percentile. I have changed the method to interpolated. But still results are incorrect. For eg when calculating over two values i am getting response time higher than 90th percentile.

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...