Splunk Search

Can splunk do stats multimode(field)?

lpolo
Motivator

Splunk support the statistical function "mode(X)". According to the Splunk documentation this function returns the most frequent value of field X.
I was able to experience that Splunk reports the correct mode from a set of numbers that are unique.

Is there an undocumented stats command or query that reports the multimode from a set of numbers that are not unique.

Example:
The mode of the set [1, 3, 3, 3, 3, 3, 7, 7, 12, 12, 17] is 3. The mode of set [3, 3, 6, 7, 7, 89, 89] is 89, 7, and 3 "Multimodal".

Thanks,
Lp

Tags (1)
0 Karma
1 Solution

bwooden
Splunk Employee
Splunk Employee

I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:

... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode

View solution in original post

bwooden
Splunk Employee
Splunk Employee

I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:

... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode

lpolo
Motivator

I tested it seems to do the work.

0 Karma

lpolo
Motivator

Thanks.
I will test it and let you know.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...