topic Re: Percentile values over time in Splunk Search

Percentile values over time

ewanbrown — Thu, 20 Apr 2017 12:17:46 GMT

I have a query to look at the number of times a user does an event, and then get different percentiles of these. I'd however like to change this to track it over time. I've tried adding in timechart but it has not worked.

Do yo ukow if this Is this an easy thing to do?

Thanks

index=beacon <search query> | chart count by ID | stats perc99(count), perc1(count), perc50(count)

Re: Percentile values over time

niketn — Thu, 20 Apr 2017 13:28:56 GMT

Please try the following (timechart will require _time field which is getting removed by your chart query):

index=beacon <search query> 
| chart count min(_time) as _time by ID 
| timechart perc99(count) as Perc99 perc1(count) as Perc1 perc50(count) as Perc50

PS: span will be defaulted based on your Time Range selection or else you would need to introduce the same for chart and timechart.

Re: Percentile values over time

niketn — Fri, 21 Apr 2017 11:12:01 GMT

@ewanbrown... Were you able to try this out. Did the query work for you?

Re: Percentile values over time

DalJeanis — Fri, 21 Apr 2017 15:04:19 GMT

Percentile of what, precisely?

The code you posted returns, of all the total counts of all the users, what are the values for count that represent the user at the 99th percentile, the 50th and the 1st.

If you wanted to know what the 99th percentile count was for each day, then you could do this

 index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day

... and then you could calculate the AVERAGE of the daily 99th percentiles ...

| stats avg(P99) as avg99thPercentile

...or if you wanted to know what the 99th percentile count was regarding the set of "event count per day per user" for the entire data set, you could do this...

 index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day | stats perc99(count)

Re: Percentile values over time

ewanbrown — Mon, 24 Apr 2017 09:30:37 GMT

Thanks!

This is what I needed

  index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day

Re: Percentile values over time

ewanbrown — Mon, 24 Apr 2017 09:50:22 GMT

Thanks for replying. It didn't seem to work. The 99 percentile value seems to get bigger the further back in time you went.

This worked for me though

index=beacon Platform=android | bin _time as Day span=1m | stats count by INID Day | stats perc99(count) as P99, perc50(count) as P50 by Day

Re: Percentile values over time

ewanbrown — Mon, 24 Apr 2017 09:51:12 GMT

This worked for me:

index=beacon | bin _time as Day span=1m | stats count by ID Day | stats perc99(count) as P99, perc50(count) as P50 by Day