What I have:
"Properties.MetricType"=ResponseTiming AND "Properties.Http_Request_Path"=/BackflushInputs | timechart max("Properties.ElapsedMilliseconds") avg("Properties.ElapsedMilliseconds")
This gives me a very nice graph:
Because the Max value can be a significant outlier from than the rest, I'd also like to display the average of the top 5% values, minus the max value.
I've found answers to somewhat similar questions here:
...but I'm having trouble morphing them to exactly what I want. Any ideas on how I can achieve this, adding it to my current chart? Thanks!
You may want to explore function percX aggregation function available in timechart (and stats/chart). This gives the X percentile value, so if you use perc95("Properties.ElapsedMilliseconds") in your timechart, it should skip the top 5% outliers.
your query to return events | eventstats perc95(Properties.ElapsedMilliseconds) as interestedValue | search Properties.ElapsedMilliseconds < interestedValue | stats avg(Properties.ElapsedMilliseconds) as Avg