Comments and answers for "How to get _time at median value?"
https://answers.splunk.com/answers/569393/how-to-get-time-at-median-value.html
The latest comments and answers for the question "How to get _time at median value?"Comment by DalJeanis on DalJeanis's comment
https://answers.splunk.com/comments/569493/view.html
@cmerriman - Thanks! I didn't expect to have to look up how splunk implemented a standard mathematical term. Post has been updated and annotated, and I'm leaving my redundant brilliance in place for posterity, and as a warning to others.Mon, 11 Sep 2017 19:36:04 GMTDalJeanisComment by cmerriman on cmerriman's answer
https://answers.splunk.com/comments/569482/view.html
just for definition sake, median will grab the middle value of all present variables. not the middle value between min and max.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Aggregatefunctions#median.28X.29
|makeresults|eval data="1,2,3,5,6,7"| makemv data delim=","| mvexpand data | rename data as _raw | kv|stats median(_raw)
using this, you get a median of 5, not 4, because Splunk should pick the higher of the two middle values
technically, if it is an even number, you're supposed to average the two middle numbers.
http://reference.wolfram.com/language/ref/Median.htmlMon, 11 Sep 2017 17:39:41 GMTcmerrimanComment by luanvn on luanvn's comment
https://answers.splunk.com/comments/569278/view.html
@DalJeanis Thank for considering about that.Mon, 11 Sep 2017 16:36:31 GMTluanvnComment by DalJeanis on DalJeanis's comment
https://answers.splunk.com/comments/569448/view.html
@luanvn, @cmerriman - you need a little more, because of the definition of median when there are even numbers of events. You are only covering two of the three cases, and the third one should occur in roughly 50% of the searches.Mon, 11 Sep 2017 14:37:48 GMTDalJeanisAnswer by DalJeanis
https://answers.splunk.com/answering/569445/view.html
CORRECTION - In Splunk, the calculation of the aggregate function `median()` does not match the mathematical definition, so the simpler code provided by @cmerriman is a complete solution. Below is the code for how you would do the real median() if that were correctly calculated.
----------
Mathematically, median is not necessarily an actual number present in the dataset. There could be only one, or there could be more than one, or there could be none. Here's some examples to show why...
1 2 3 6 9 median is 3, which is present in the data
1 2 3 3 3 6 9 median is 3, three present in the data
1 2 2 4 6 9 mathematical median is 3, which is not present in the data. However, splunk picks 4 instead.
----------
This following code is redundant under current implementation of `median()` in splunk. Just use @cmerriman's.
That mathematical definition would make it a little funky to get the `_time`, but it could be done. What we would do, is calculate the DIFFERENCE from the median, and then pass any records that have the lowest difference.
source=check_request app="test1" url="/ShippingOrder/Import"
| rename url as URL
| eventstats median(el) as UrlMedianEl by URL
| eval DeltaToMedian= abs(UrlMedianEl - el)
| eventstats min(DeltatoMedian) as minDeltaToMedian by URL
| where DeltaToMedia = minDeltaToMedian
| table _time URL el DeltaToMedian
See, wasn't that tricky?
----------
Examples altered - changed 4 and 5 to 6 and 9 respectively to help distinguish `median` - the *"middlest"* value - from `average`.
Also, the whole thing has become moot, because splunk's `median()` just picks the higher of the two.Mon, 11 Sep 2017 14:35:19 GMTDalJeanisComment by luanvn on luanvn's answer
https://answers.splunk.com/comments/569241/view.html
That's great! It worked. Thanks so much cmerriman!Mon, 11 Sep 2017 13:35:08 GMTluanvnAnswer by cmerriman
https://answers.splunk.com/answering/569412/view.html
try this to see if it works for you:
source=check_request app="test1" | rename url as "URL" | where URL="/ShippingOrder/Import" | eventstats median(el) as abc by URL|eval medTime=if(abc=el,_time,null())|stats values(medTime) as _time values(abc) as abc by URLMon, 11 Sep 2017 12:31:58 GMTcmerriman