In Splunk documentation for the outlier command, it say:
" The transform option truncates the outlying values to the threshold for outliers."
Would like to understand how it calculates the thresh...
See more...
In Splunk documentation for the outlier command, it say:
" The transform option truncates the outlying values to the threshold for outliers."
Would like to understand how it calculates the threshold mentioned above.
For this SPL below, the total_bytes value of 92000, is replaced with 000244. How does Splunk come up with the value of 244?
| makeresults
| fields - _time
| eval data="101,20220101,3;101,20220102,200;101,20220103,210;101,20220104,220;101,20220105,200;101,20220106,210;101,20220107,220;101,20220108,92000;101,20220109,200;101,20220110,3;"
| makemv delim=";" data
| mvexpand data | eval splitted = split(data,",") | eval day_hour_key=mvindex(splitted,0,0), date=mvindex(splitted,1,1) , total_bytes=mvindex(splitted,2,2)
| fields day_hour_key,total_bytes,date| outlier action=transform mark=true total_bytes | rename total_bytes as transform_total_bytes