topic Re: How can I find an event count of event that are less than a p95 duration? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667738#M229073 <P>Use <FONT face="courier new,courier">eventstats</FONT> to compute the p95 value without losing the other fields.</P><LI-CODE lang="markup">index=xyz status=complete | eventstats p95(dur) as p95Dur | where dur &lt; p95Dur</LI-CODE> Tue, 07 Nov 2023 19:19:29 GMT richgalloway 2023-11-07T19:19:29Z How can I find an event count of event that are less than a p95 duration? https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667732#M229069 <P>I need to identify the count of events that have a duration that is less than the p95 value.</P><P>Sample search</P><P>index=xyz status=complete | stats p95(dur) as p95Dur<BR /><BR />What can I add to the end of the search to id the number of events less than the p95Dur value?</P> Tue, 07 Nov 2023 19:01:15 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667732#M229069 mark_groenveld 2023-11-07T19:01:15Z Re: How can I find an event count of event that are less than a p95 duration? https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667738#M229073 <P>Use <FONT face="courier new,courier">eventstats</FONT> to compute the p95 value without losing the other fields.</P><LI-CODE lang="markup">index=xyz status=complete | eventstats p95(dur) as p95Dur | where dur &lt; p95Dur</LI-CODE> Tue, 07 Nov 2023 19:19:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667738#M229073 richgalloway 2023-11-07T19:19:29Z Re: How can I find an event count of event that are less than a p95 duration? https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667743#M229074 <P>I find doing eventstats on raw data to be tremendously slow. I'd probably compute the percentile in a subsearch and pass it through. Then you only do the percentile computation once.<BR /><BR /><BR /><SPAN>index=xyz status=complete [ search index=xyz status=complete | stats p95(dur) as p95Dur | eval search = "dur&gt;"+p95Dur | table search]</SPAN><BR /><BR /></P> Tue, 07 Nov 2023 20:51:13 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667743#M229074 RobertMarks 2023-11-07T20:51:13Z Re: How can I find an event count of event that are less than a p95 duration? https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667983#M229183 <P>Thanks for your response Rich.&nbsp; Using eventstats took too long to complete to the point it wasn't usable.</P> Wed, 08 Nov 2023 21:51:31 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667983#M229183 mark_groenveld 2023-11-08T21:51:31Z Re: How can I find an event count of event that are less than a p95 duration? https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667985#M229185 <P>Thanks Robert.&nbsp; I would like to clarify the search as I need the events less than the p95 duration.</P><P>Shouldn't the eval section be:&nbsp;&nbsp;<SPAN>| eval search = "dur&lt;"+p95Dur</SPAN></P> Wed, 08 Nov 2023 21:54:23 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667985#M229185 mark_groenveld 2023-11-08T21:54:23Z Re: How can I find an event count of event that are less than a p95 duration? https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667987#M229186 <P>What do you need to retain from those events? eventstats is a slow operation as it will run on the search head, so the amount of information you need should be minimised before using that, so use the fields command to limit only those fields you need beforehand.</P><P>If that is still too slow, the subsearch approach may work for you&nbsp;</P><P>&nbsp;</P> Wed, 08 Nov 2023 22:32:44 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/667987#M229186 bowesmana 2023-11-08T22:32:44Z Re: How can I find an event count of event that are less than a p95 duration? https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/668003#M229189 <P>I need the count of events.</P> Thu, 09 Nov 2023 00:49:53 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/668003#M229189 mark_groenveld 2023-11-09T00:49:53Z Re: How can I find an event count of event that are less than a p95 duration? https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/668181#M229222 <P>Have you tried just</P><LI-CODE lang="markup">index=xyz status=complete | fields dur | fields - _* | eventstats p95(dur) as p95Dur | where dur &lt; p95Dur | stats count</LI-CODE><P>so you only have the dur field in the dataset - I believe that will be significantly faster without having to pull all the data to the search head.</P> Thu, 09 Nov 2023 23:35:23 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-an-event-count-of-event-that-are-less-than-a-p95/m-p/668181#M229222 bowesmana 2023-11-09T23:35:23Z