Splunk Search

Average of Transactions for the top 50% of transactions

adityapavan18
Contributor

Hi,

I have data of transactions in logs.

using "duration" i can take the total duration of very transaction.And avg(duration) will give me the avg of all the transactions.

Now i need to calculate the average of only the top 50% best transaction on time.

i.e for example i have 100 transactions, I sort them according to duration(min to max), i need the average of the first 50 trasactions.

How can i achieve this?

Tags (3)
1 Solution

carasso
Splunk Employee
Splunk Employee

Here's how to do it.

1) calculate the median value for duration, using "eventstats", which puts the value onto every event/transation.

2) use "where" to filter out events/transactions that are below the median duration.

3) now calculate the average duration for the remaining events/transactions

Putting it all together:

"your transaction search" | eventstats median(duration) as threshold | where duration>= threshold | stats avg(duration)

View solution in original post

carasso
Splunk Employee
Splunk Employee

Here's how to do it.

1) calculate the median value for duration, using "eventstats", which puts the value onto every event/transation.

2) use "where" to filter out events/transactions that are below the median duration.

3) now calculate the average duration for the remaining events/transactions

Putting it all together:

"your transaction search" | eventstats median(duration) as threshold | where duration>= threshold | stats avg(duration)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...