Solved: Can splunk do stats multimode(field)?

lpolo · ‎02-22-2012

Splunk support the statistical function "mode(X)". According to the Splunk documentation this function returns the most frequent value of field X.
I was able to experience that Splunk reports the correct mode from a set of numbers that are unique.

Is there an undocumented stats command or query that reports the multimode from a set of numbers that are not unique.

Example:
The mode of the set [1, 3, 3, 3, 3, 3, 7, 7, 12, 12, 17] is 3. The mode of set [3, 3, 6, 7, 7, 89, 89] is 89, 7, and 3 "Multimodal".

Thanks,
Lp

bwooden · ‎02-22-2012

I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:

... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode

View solution in original post

bwooden · ‎02-22-2012

I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:

... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode

lpolo · ‎06-01-2012

I tested it seems to do the work.

lpolo · ‎02-29-2012

Thanks.
I will test it and let you know.

Can splunk do stats multimode(field)?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk