topic Re: grouping requests by percentile in Splunk Search

grouping requests by percentile

joe06031990 — Thu, 22 Jul 2021 05:11:58 GMT

Good morning,

I am trying to group the count by percentile however all is showing in 0% which is in correct:

source="C:\\inetpub\\logs\\LogFiles\\*" host="WIN-699VGN4SK4U" index="main" |bucket span=1d _time| eventstats p75(count) as p75 p95(count) as p95 p99(count) as p99
| eval Percentile = case(count >= p75, "75%", count >= p95, "95%", count >= p99, "99%", 1=1, "0%")
| stats count by Percentile

Not really sure how to fix, any help would be greatly appreciated.

Thanks

Joe

Re: grouping requests by percentile

ITWhisperer — Thu, 22 Jul 2021 06:40:40 GMT

count isn't created in your search - does it already exist in your events?

Also, you should change the order in the case statement since over 95% is also over 75% so would be tagged as being over 75% before it gets to evaluate whether it is over 95%

Re: grouping requests by percentile

joe06031990 — Thu, 22 Jul 2021 07:57:27 GMT

Thanks for your reply, I have re-wrote my search:

index=test sourcetype=test |bucket span=1m _time
| stats count as total
| eventstats perc99(total) as p99, perc95(total),perc75(total) as p75| eval Percentile = case(total >= p99, "99%", total >= p95, "95%", total >= p75, "75%", 1=1, "0%")
| stats sum(total) as "Totals" by Percentile
| rename Totals as "Total Transactions"

however this is now only showing the 99% and not 75% or 99%.

Any thoughts?

Thanks

Joe

Re: grouping requests by percentile

joe06031990 — Thu, 22 Jul 2021 09:20:26 GMT

It also looks like it is just selecting the first Percentile in the case statement no matter what it is.

Re: grouping requests by percentile

ITWhisperer — Thu, 22 Jul 2021 09:44:31 GMT

You have not included _time in the stats so you will get a single result