https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131115#M35763 <P>Sure, it just adds a bit of post-processing:</P> <PRE><CODE>| inputlookup sessions.csv | stats count as sessions sum(amount) as total by user | eventstats p99(total) as p99 p80(total) as p80 p50(total) as p50 | eval Percentile = case(total &gt;= p99, "99%", total &gt;= p80, "80%", total &gt;= p50, "50%", 1=1, "0%") | stats count sum(total) as total sum(sessions) as sessions by Percentile | sort - Percentile | streamstats sum(*) as running_* | eval average = running_total / running_count | eval sessions = running_sessions / running_count | table Percentile average sessions </CODE></PRE> Mon, 14 Apr 2014 20:06:49 GMT martin_mueller 2014-04-14T20:06:49Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131108#M35756 <P>Hi,<BR /> I'm new to Splunk and I'm quite stuck on how to group users by percentile. </P> <P>Each user has the option of paying for services and I want to group these users by their payment percentile. So if the max anyone has cumulatively paid is $100, they would show up in the 99th percentile while the 50th percentile would be someone who paid $50 or more. Based on that grouping I want to know the average number of sessions they've logged in my app.</P> <P>It'd look something like this:<BR /> <TABLE border="1"><BR /> <TBODY><TR><BR /> <TD>Percentile</TD><BR /> <TD>Avg Payment</TD><BR /> <TD>Sessions</TD><BR /> </TR><BR /> <TR><BR /> <TD>99%</TD><BR /> <TD>99</TD><BR /> <TD>50</TD><BR /> </TR><BR /> <TR><BR /> <TD>80%</TD><BR /> <TD>82</TD><BR /> <TD>44</TD><BR /> </TR><BR /> <TR><BR /> <TD>50%</TD><BR /> <TD>60</TD><BR /> <TD>25</TD><BR /> </TR><BR /> <TR><BR /> <TD>0%</TD><BR /> <TD>0</TD><BR /> <TD>60</TD><BR /> </TR><BR /> </TBODY></TABLE></P> <P>I would be grateful for any help on how to achieve this. Thanks!</P> Mon, 14 Apr 2014 18:15:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131108#M35756 gtran 2014-04-14T18:15:51Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131109#M35757 <P>so does that mean 99% is the person who has paid 100$ and the one paid 50$ they are in 50%? little confusing. You could try </P> <P>eval per=case</P> <P>or</P> <P>rangemap</P> <P>i guess that is the case here.</P> Mon, 14 Apr 2014 18:27:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131109#M35757 linu1988 2014-04-14T18:27:21Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131110#M35758 <P>It is a bit confusing... The top 50% would be both the person who paid $50 and the person who paid $100 while the 99th percentile is the top 1% so just the guy who paid $100.</P> <P>I have not looked into rangemap yet, thanks for the tip!</P> Mon, 14 Apr 2014 18:31:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131110#M35758 gtran 2014-04-14T18:31:45Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131111#M35759 <P>will it be</P> <P><CODE>....|eval percentile=case(Payment=="50$" AND Payment=="100$","50%",Payment="100$","100%",cases..)|stats count(Sessions) as Session by percentile,Payment</CODE></P> Mon, 14 Apr 2014 18:38:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131111#M35759 linu1988 2014-04-14T18:38:28Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131112#M35760 <P>Could you post some sample events?</P> Mon, 14 Apr 2014 19:37:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131112#M35760 somesoni2 2014-04-14T19:37:38Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131113#M35761 <P>Here's what you do, assuming your data has an event per session with a user ID and the amount paid for that session:</P> <PRE><CODE>| inputlookup sessions.csv | stats count as sessions sum(amount) as total by user | eventstats p99(total) as p99 p80(total) as p80 p50(total) as p50 | eval Percentile = case(total &gt;= p99, "99%", total &gt;= p80, "80%", total &gt;= p50, "50%", 1=1, "0%") | stats avg(total) as average avg(sessions) as sessions by Percentile </CODE></PRE> <P>The inputlookup loads my dummy data, see below.<BR /> The stats calculates the number of sessions and total amount paid per user.<BR /> The eventstats uses those totals to calculate where the percentile borders are.<BR /> The eval groups the users into their percentile buckets, without duplication - if you're in the 99% bucket you're not also in all the other buckets.<BR /> The final stats computes the average total amount and average number of sessions per percentile bucket.</P> <P>Sample data looks like this:</P> <P><CODE>session,user,amount<BR /> 1,a,10<BR /> 2,a,15<BR /> 3,a,20<BR /> 4,b,0<BR /> 5,c,100<BR /> 6,d,10<BR /> 7,e,20<BR /> 8,e,10<BR /> 9,f,1<BR /> 10,g,5<BR /> 11,h,6<BR /> 12,i,7<BR /> 13,j,8<BR /> 14,k,9<BR /> 15,l,10<BR /> 16,m,11<BR /> 17,n,12<BR /> 18,o,13<BR /> 19,p,14<BR /> 20,q,15</CODE></P> <P>Output based on that sample data:</P> <P><CODE>Percentile average sessions<BR /> 0% 5.142857 1<BR /> 50% 11.666667 1<BR /> 80% 30.000000 2<BR /> 99% 100.000000 1</CODE></P> <P>To cross-check, let's look at the 80% bucket. I've got 17 users, so the lower-bound 80% bucket should be the top four people. The top one user is already in the 99% bucket, so we're looking at 2, 3, and 4 - they're a, e, and q and spent 45, 30, and 15 respectively giving you an average of 30.</P> Mon, 14 Apr 2014 19:43:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131113#M35761 martin_mueller 2014-04-14T19:43:06Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131114#M35762 <P>Thanks so much for this explanation. I think my biggest mistake was using stats to calculate the actual percentile values instead of eventstats. Is there any way for a user to be included in multiple groups? So the top user would be in the 99%, 80% and 50%?</P> Mon, 14 Apr 2014 19:58:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131114#M35762 gtran 2014-04-14T19:58:26Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131115#M35763 <P>Sure, it just adds a bit of post-processing:</P> <PRE><CODE>| inputlookup sessions.csv | stats count as sessions sum(amount) as total by user | eventstats p99(total) as p99 p80(total) as p80 p50(total) as p50 | eval Percentile = case(total &gt;= p99, "99%", total &gt;= p80, "80%", total &gt;= p50, "50%", 1=1, "0%") | stats count sum(total) as total sum(sessions) as sessions by Percentile | sort - Percentile | streamstats sum(*) as running_* | eval average = running_total / running_count | eval sessions = running_sessions / running_count | table Percentile average sessions </CODE></PRE> Mon, 14 Apr 2014 20:06:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131115#M35763 martin_mueller 2014-04-14T20:06:49Z https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131116#M35764 <P>That yields this table for my dummy data:</P> <P><CODE>Percentile average sessions<BR /> 99% 100 1<BR /> 80% 47.500000 1.750000<BR /> 50% 26 1.300000<BR /> 0% 17.411765 1.176471</CODE></P> <P>As a cross-check, running this:</P> <PRE><CODE>| inputlookup sessions.csv | stats count as sessions sum(amount) as total by user | stats avg(total) </CODE></PRE> <P>yields an average total per user of 17.411765, just as predicted by the 0% value <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 14 Apr 2014 20:08:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-by-percentile/m-p/131116#M35764 martin_mueller 2014-04-14T20:08:25Z