Answers for "How to get _time at median value?"
https://answers.splunk.com/answers/569393/how-to-get-time-at-median-value.html
The latest answers for the question "How to get _time at median value?"Answer by DalJeanis
https://answers.splunk.com/answering/569445/view.html
CORRECTION - In Splunk, the calculation of the aggregate function `median()` does not match the mathematical definition, so the simpler code provided by @cmerriman is a complete solution. Below is the code for how you would do the real median() if that were correctly calculated.
----------
Mathematically, median is not necessarily an actual number present in the dataset. There could be only one, or there could be more than one, or there could be none. Here's some examples to show why...
1 2 3 6 9 median is 3, which is present in the data
1 2 3 3 3 6 9 median is 3, three present in the data
1 2 2 4 6 9 mathematical median is 3, which is not present in the data. However, splunk picks 4 instead.
----------
This following code is redundant under current implementation of `median()` in splunk. Just use @cmerriman's.
That mathematical definition would make it a little funky to get the `_time`, but it could be done. What we would do, is calculate the DIFFERENCE from the median, and then pass any records that have the lowest difference.
source=check_request app="test1" url="/ShippingOrder/Import"
| rename url as URL
| eventstats median(el) as UrlMedianEl by URL
| eval DeltaToMedian= abs(UrlMedianEl - el)
| eventstats min(DeltatoMedian) as minDeltaToMedian by URL
| where DeltaToMedia = minDeltaToMedian
| table _time URL el DeltaToMedian
See, wasn't that tricky?
----------
Examples altered - changed 4 and 5 to 6 and 9 respectively to help distinguish `median` - the *"middlest"* value - from `average`.
Also, the whole thing has become moot, because splunk's `median()` just picks the higher of the two.Mon, 11 Sep 2017 14:35:19 GMTDalJeanisAnswer by cmerriman
https://answers.splunk.com/answering/569412/view.html
try this to see if it works for you:
source=check_request app="test1" | rename url as "URL" | where URL="/ShippingOrder/Import" | eventstats median(el) as abc by URL|eval medTime=if(abc=el,_time,null())|stats values(medTime) as _time values(abc) as abc by URLMon, 11 Sep 2017 12:31:58 GMTcmerriman