Splunk Search

Mode function in stats (ver 5.0.5)

yuwtennis
Communicator

Hi!

I would like to know how does the mode function behave in the stats command in following situation.

fieldA fieldB fieldC Date
a 1 1 1/2/2014 0:0:0
1 2 1/3/2014 1:0:0
b 1 1 1/4/2014 0:0:0
c 1 1 1/5/2014 0:0:0

If I execute
xxxx | stats mode(fieldC) by fieldA

I expect the mode to return "2" . However, in some cases , it returns "1".

What will be the correct behavior?
Should it return the most earliest value if the occurence is the same?

Thanks,
Yu

Tags (1)

steveyz
Splunk Employee
Splunk Employee

when there is no unique mode, it should emit the lexicographically first mode value, which in this case should be 1. It purposely does not return multiple values.

0 Karma

yuwtennis
Communicator

Hi steveyz.

Ok. Do you know the way to get the most latest value when the occurence is the same?

0 Karma

sdorich
Communicator

Technically, it should return a set of values if there are multiple values that have the same highest occurrence. However, perhaps in the Splunk version you're using the mode function expects a single value, gets confused, and returns the earliest value if the occurence is the same (check examples to ensure this is the case). I'd just use the "top" command so you can see say the top 10 values that occur. i.e. ... | top fieldC by fieldA

0 Karma

sdorich
Communicator

Great! Using stats and sort is what I was thinking. Another command you should check out is "head". It will return the the most recent n events (i.e. | head n). But glad you got your search to work the way you wanted. You should mark it as "answered" if you have no more issues.

0 Karma

yuwtennis
Communicator

I guess I figured it out.

I used the combination of stats and sort.

stats count latest(Date) by fieldA fieldC
| sort 0 -count -latest
| stats first(fieldC) by fieldA

0 Karma

yuwtennis
Communicator

To support my reply,
It seems that top command gets confused in these occasions.

fieldA fieldB fieldC Date
a 1 1 1/2/2014 0:0:0

a 1 1 1/3/2014 0:0:0

b 1 2 1/4/2014 0:0:0
b 1 2 1/6/2014 0:0:0 *1
c 1 1 1/5/2014 0:0:0

if I do top fieldC by fieldA ,
it returns field A instead of fields B.
However, I want to have *1 which is the most latest value occured.

0 Karma

yuwtennis
Communicator

Hi sdorich.

Thank you for the comment.

I played around with the top command but is it possible to get the most latest value if the frequency is the same?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...