Splunk support the statistical function "mode(X)". According to the Splunk documentation this function returns the most frequent value of field X.
I was able to experience that Splunk reports the correct mode from a set of numbers that are unique.
Is there an undocumented stats command or query that reports the multimode from a set of numbers that are not unique.
Example:
The mode of the set [1, 3, 3, 3, 3, 3, 7, 7, 12, 12, 17] is 3. The mode of set [3, 3, 6, 7, 7, 89, 89] is 89, 7, and 3 "Multimodal".
Thanks,
Lp
I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:
... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode
I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:
... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode
I tested it seems to do the work.
Thanks.
I will test it and let you know.