How to return exact percentile values in a Splunk search?

rameshlpatel — Wed, 08 Jul 2015 19:13:11 GMT

Hi,

I have an issue with percentile functions provided by SPLUNK.

Example: I am getting count by last 7 days as :

11,12,13,14,16,18,22

If I am asking for 90th perc of above value, it's always showing me 22 as a value, not in between like 20 or 21, or if I expect the 80th percentile, it's giving me 18, not 19 or 20. This means it's taking data from the result set, not in between and I'm expecting exact percentiles. Could you please help me to know how we could achieve this in splunk ?

I tried all functions provided by Splunk like perc, p, exactperc etc. but results are not changing.

Re: How to return exact percentile values in a Splunk search?

martin_mueller — Thu, 09 Jul 2015 00:48:26 GMT

I'm pretty sure that both perc() and exactperc() use the Nearest Rank method: https://en.wikipedia.org/wiki/Percentile#The_Nearest_Rank_method
The difference appears to be that for high-cardinality fields perc() might not be accurate for sake of performance so you can use exactperc() to force Splunk to be accurate (within the Nearest Rank method) without regard for expensive computations.

topic Re: How to return exact percentile values in a Splunk search? in Splunk Search

How to return exact percentile values in a Splunk search?

Re: How to return exact percentile values in a Splunk search?