How to add the average of the top 5 percent of val...

jlamb3 · ‎01-19-2017

What I have:

"Properties.MetricType"=ResponseTiming AND "Properties.Http_Request_Path"=/BackflushInputs | timechart max("Properties.ElapsedMilliseconds") avg("Properties.ElapsedMilliseconds")

This gives me a very nice graph:

Because the Max value can be a significant outlier from than the rest, I'd also like to display the average of the top 5% values, minus the max value.

I've found answers to somewhat similar questions here:
https://answers.splunk.com/answers/75965/top-percentage-out-of-total-events.html
https://answers.splunk.com/answers/61711/average-time-on-only-top-results.html
...but I'm having trouble morphing them to exactly what I want. Any ideas on how I can achieve this, adding it to my current chart? Thanks!

gokadroid · ‎01-19-2017

something like:

your query to return events
| eventstats perc95(Properties.ElapsedMilliseconds) as interestedValue
| search Properties.ElapsedMilliseconds < interestedValue
| stats avg(Properties.ElapsedMilliseconds) as Avg

somesoni2 · ‎01-19-2017

You may want to explore function percX aggregation function available in timechart (and stats/chart). This gives the X percentile value, so if you use perc95("Properties.ElapsedMilliseconds") in your timechart, it should skip the top 5% outliers.

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/CommonStatsFunctions#Aggregate_fun...

How to add the average of the top 5 percent of values, but remove the max value, to my timechart?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms