So I am trying to get an average duration time for request.
Currently I am using this request with gets the top 5 percent, and bottom 5 percent of times and removes them with the idea that they are outliers. I realized that this may not always be accurate if the top 5 or bottom 5 percent are actually close to the mean and not outliers. So how would I change this search to remove anything that is 3 standard deviations away from the mean?
"Data.PlatformTeam" = "payments" | eventstats perc95(Duration) as Perc95, perc5(Duration) as Perc5 by Name| where Duration < Perc95 | where Duration > Perc5 | stats avg(Duration) as Average, count as Frequency by Name | sort -Average
This will do it.
"Data.PlatformTeam"="payments" | eventstats avg(duration) as avg stdev(duration) as stdev by Name | where abs(duration-avg) < stdev*3 | stats avg(duration) as Average, count as Frequency by Name | sort -Average
This will do it.
"Data.PlatformTeam"="payments" | eventstats avg(duration) as avg stdev(duration) as stdev by Name | where abs(duration-avg) < stdev*3 | stats avg(duration) as Average, count as Frequency by Name | sort -Average
This is exactly what I was looking for. Thank you
Something like this?
"Data.PlatformTeam" = "payments" | eventstats mean(Duration) as mean, stdev(Duration) as stdev by Name| where abs(mean-stdev)< 3 | stats avg(Duration) as Average, count as Frequency by Name | sort -Average