Solved: Can splunk do stats multimode(field)?

lpolo · ‎02-22-2012

Splunk support the statistical function "mode(X)". According to the Splunk documentation this function returns the most frequent value of field X.
I was able to experience that Splunk reports the correct mode from a set of numbers that are unique.

Is there an undocumented stats command or query that reports the multimode from a set of numbers that are not unique.

Example:
The mode of the set [1, 3, 3, 3, 3, 3, 7, 7, 12, 12, 17] is 3. The mode of set [3, 3, 6, 7, 7, 89, 89] is 89, 7, and 3 "Multimodal".

Thanks,
Lp

bwooden · ‎02-22-2012

I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:

... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode

View solution in original post

bwooden · ‎02-22-2012

I do not know of a way using just stats. If someone else has a solution, I'd love to see it. Otherwise, you can grab a multimodal list with something like this:

... | stats count(EventCode) as count by EventCode | eventstats max(count) as mode_indicator | where count=mode_indicator | mvcombine delim="," EventCode | fields mode

lpolo · ‎06-01-2012

I tested it seems to do the work.

lpolo · ‎02-29-2012

Thanks.
I will test it and let you know.

Can splunk do stats multimode(field)?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!