https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416663#M14889 <P>you could do that as well if you only need p95 , all other fields will be gone. Evenstats is used to keep all the fields in the output</P> Wed, 22 Aug 2018 08:16:24 GMT renjith_nair 2018-08-22T08:16:24Z https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416658#M14884 <P>Hello all,</P> <P>I have a seemingly simple goal: bucketing events by time and finding the 95th percentile using the total number of events in each bin. I'm able to get the counts for each bin but I'm not sure how to use each of those counts and find the percentile using <CODE>p()</CODE>.</P> <P>This is how I'm getting the count for each bin:<BR /> <CODE>| bin _time span=5m | stats count by _time</CODE></P> <P>Now I want to use the values in the count column as an input list to calculate <CODE>p95()</CODE>.</P> <P>Thanks for the help in advance.</P> Tue, 21 Aug 2018 00:03:20 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416658#M14884 jonnymolina 2018-08-21T00:03:20Z https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416659#M14885 <P>@jonnymolina,</P> <P>Does it work for you ?</P> <PRE><CODE>index=_internal |bucket span=5m _time|stats count by _time|eventstats perc95(count) as p95 </CODE></PRE> Tue, 21 Aug 2018 03:28:29 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416659#M14885 renjith_nair 2018-08-21T03:28:29Z https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416660#M14886 <P>This works! Thank you so much. As a side topic, could this be achieved through <CODE>streamstats</CODE> as well?</P> Tue, 21 Aug 2018 06:31:53 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416660#M14886 jonnymolina 2018-08-21T06:31:53Z https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416661#M14887 <P>I wouldn't do it with streamstats because its specially created for creating "streaming" events where as eventstats acts on the events by events</P> Tue, 21 Aug 2018 07:55:22 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416661#M14887 renjith_nair 2018-08-21T07:55:22Z https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416662#M14888 <P>I also figured out you can return a single p95 value by doing</P> <P><CODE>| bin _time span=5m | stats count by _time | stats perc95(count) as p95</CODE></P> Tue, 21 Aug 2018 20:13:54 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416662#M14888 jonnymolina 2018-08-21T20:13:54Z https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416663#M14889 <P>you could do that as well if you only need p95 , all other fields will be gone. Evenstats is used to keep all the fields in the output</P> Wed, 22 Aug 2018 08:16:24 GMT https://community.splunk.com/t5/Deployment-Architecture/Using-the-number-of-events-in-bins-to-find-percentile/m-p/416663#M14889 renjith_nair 2018-08-22T08:16:24Z