- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Mode function in stats (ver 5.0.5)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mode function in stats (ver 5.0.5)
Hi!
I would like to know how does the mode function behave in the stats command in following situation.
fieldA fieldB fieldC Date
a 1 1 1/2/2014 0:0:0
1 2 1/3/2014 1:0:0
b 1 1 1/4/2014 0:0:0
c 1 1 1/5/2014 0:0:0
If I execute
xxxx | stats mode(fieldC) by fieldA
I expect the mode to return "2" . However, in some cases , it returns "1".
What will be the correct behavior?
Should it return the most earliest value if the occurence is the same?
Thanks,
Yu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
when there is no unique mode, it should emit the lexicographically first mode value, which in this case should be 1. It purposely does not return multiple values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi steveyz.
Ok. Do you know the way to get the most latest value when the occurence is the same?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Technically, it should return a set of values if there are multiple values that have the same highest occurrence. However, perhaps in the Splunk version you're using the mode function expects a single value, gets confused, and returns the earliest value if the occurence is the same (check examples to ensure this is the case). I'd just use the "top" command so you can see say the top 10 values that occur. i.e. ... | top fieldC by fieldA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great! Using stats and sort is what I was thinking. Another command you should check out is "head". It will return the the most recent n events (i.e. | head n). But glad you got your search to work the way you wanted. You should mark it as "answered" if you have no more issues.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess I figured it out.
I used the combination of stats and sort.
stats count latest(Date) by fieldA fieldC
| sort 0 -count -latest
| stats first(fieldC) by fieldA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To support my reply,
It seems that top command gets confused in these occasions.
fieldA fieldB fieldC Date
a 1 1 1/2/2014 0:0:0
a 1 1 1/3/2014 0:0:0
b 1 2 1/4/2014 0:0:0
b 1 2 1/6/2014 0:0:0 *1
c 1 1 1/5/2014 0:0:0
if I do top fieldC by fieldA ,
it returns field A instead of fields B.
However, I want to have *1 which is the most latest value occured.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sdorich.
Thank you for the comment.
I played around with the top command but is it possible to get the most latest value if the frequency is the same?
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
