What I have: "Properties.MetricType"=ResponseTiming AND "Properties.Http_Request_Path"=/BackflushInputs | timechart max("Properties.ElapsedMilliseconds") avg("Properties.ElapsedMilliseconds") This gives me a very nice graph: Because the Max value can be a significant outlier from than the rest, I'd also like to display the average of the top 5% values, minus the max value. I've found answers to somewhat similar questions here: https://answers.splunk.com/answers/75965/top-percentage-out-of-total-events.html https://answers.splunk.com/answers/61711/average-time-on-only-top-results.html ...but I'm having trouble morphing them to exactly what I want. Any ideas on how I can achieve this, adding it to my current chart? Thanks! ... View more

I have a query showing all errors of interest. Excerpt of result: When this error happens, we get 3-6 errors spit out within milliseconds of each other, so what I'd like to do is take this search result and get a nice chart of the number of events, grouping all events from the same failure windows together. All 3 shown in the image would be counted as one. My line of inquiry has resulted in: **query** | timechart count by (date_month AND date_mday AND date_hour AND date_minute) but that is still resulting in a count of 3 for the events in my image. Suggestions? ... View more