Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why result of upperperc95 are smaller than avg some times.

faabiojr
New Member
‎04-23-2016 05:03 PM

I am running a querie to calculate the upperperc95 and avg for the number of conections in my firewalls, but some times the result of the upperperc95 are smaller than avg results.

If the upperperc95 uses only 5% of the biggest results and does an avg of them, how they can be smaller than the avg that considers all data?

0 Karma
Reply

ben363
Path Finder
‎06-03-2016 06:26 AM

upperperc 95 doesn't give the average of the top 5%. It gives an estimate of where the top 5% starts. If the biggest numbers in the top 5% are much larger than the smallest numbers in the top 5%, then the overall average can be bigger than more than 95% of the numbers in the sample.

One simple example is where 96% of your numbers are almost the same, and you have a few numbers that are much much bigger. Then your average will be bigger than at least 96% of your numbers.

See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

Reply

Richfez
SplunkTrust
SplunkTrust
‎04-23-2016 09:13 PM

Can you provide some samples of this for us to do our own testing/math on?

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top