topic Re: How to search the daily average of the top 95% of events and the percentage change? in Splunk Search

How to search the daily average of the top 95% of events and the percentage change?

test365498 — Wed, 20 Jul 2016 13:29:26 GMT

Hello!

I have two separate searches that I would like to combine into one, someone able to assist, please?

I am trying to accomplish the following: display the 95% top of events daily avg(duration) as well as the percent change of this average between today and yesterday.

This is what I have so far:
For 95% avg: not sure
For %change:

search... | bucket _time span=1d | stats avg(duration) as duration_daily by _time |delta duration_daily as change |eval change_percent=change/(duration_daily-change)*100 |timechart span=1d  first(duration_daily) AS "daily avg", first(change_percent) AS "Change (%)"

Anyway to combine them since I need to see the %change between the average daily values of the 95% of events?

Thank you!

Re: How to search the daily average of the top 95% of events and the percentage change?

skoelpin — Wed, 20 Jul 2016 13:57:59 GMT

You will need to include a subsearch to accomplish this, but you gotta be careful as the performance takes a hit when doing subsearches. You will pipe the first search into | appendcols [search SEARCH2]

Search 1 = index=search1 * | top(duration)
Search 2 = index=search2. | bucket _time span=1d | stats avg(duration) as duration_daily by _time |delta duration_daily as change |eval change_percent=change/(duration_daily-change)*100 |timechart span=1d first(duration_daily) AS "daily avg", first(change_percent) AS "Change (%)"

Would look like this

index=search1 * | top(duration) | appendcols [search index=search2. | bucket _time span=1d | stats avg(duration) as duration_daily by _time |delta duration_daily as change |eval change_percent=change/(duration_daily-change)*100 |timechart span=1d first(duration_daily) AS "daily avg", first(change_percent) AS "Change (%)"]

Re: How to search the daily average of the top 95% of events and the percentage change?

sundareshr — Wed, 20 Jul 2016 13:59:53 GMT

Try this

base search earliest=-1d@d | eval when=if(_time>relative_time(now(), "@d"), "Today", "Yesterday") | eval Time=strftime(relative_time(now(), "@d"), "%m/%d/%Y") | chart  avg(duration) as  duration_daily over Time by when | eval "Change (%)"=round(Yesterday/Today*100, 2) | fields - Today - Yesterday | appendcols [ search base search earliest=@d | eval Time=strftime(relative_time(now(), "@d"), "%m/%d/%Y") | chart perc5(bytes) as 95b over Time]

Re: How to search the daily average of the top 95% of events and the percentage change?

test365498 — Wed, 20 Jul 2016 14:11:39 GMT

Something does not look right on my end. How would the search look like just for the average of events, the top 95?

Re: How to search the daily average of the top 95% of events and the percentage change?

test365498 — Wed, 20 Jul 2016 14:12:55 GMT

Ok, I see. But issue still remains to filter out the bottom 5% and average only the top 95%.

Re: How to search the daily average of the top 95% of events and the percentage change?

skoelpin — Wed, 20 Jul 2016 14:14:27 GMT

| stats perc95(your_field)

Re: How to search the daily average of the top 95% of events and the percentage change?

test365498 — Wed, 20 Jul 2016 14:19:14 GMT

perc95(duration) will give all the points in the top 95%, correct? Then how can I take the average of those?

Re: How to search the daily average of the top 95% of events and the percentage change?

sundareshr — Wed, 20 Jul 2016 14:22:28 GMT

This will only show 3 cols Time, "Change (%)" AND 95b (this is the field with 95th Percentile value. To see avg(event), remove the fields - Today - Yesterday The last segment should be

chart perc5(duration) as 95b over Time

Re: How to search the daily average of the top 95% of events and the percentage change?

skoelpin — Wed, 20 Jul 2016 14:23:51 GMT

You can take the output of | stats perc95(duration) and pipe it into another command to find the average

| stats perc95(duration) | appendcols [search stats avg(duration)]

Re: How to search the daily average of the top 95% of events and the percentage change?

test365498 — Wed, 20 Jul 2016 19:32:58 GMT

Thank you for your input!

Re: How to search the daily average of the top 95% of events and the percentage change?

test365498 — Wed, 20 Jul 2016 19:33:08 GMT

Thank you for your input!

Re: How to search the daily average of the top 95% of events and the percentage change?

skoelpin — Wed, 20 Jul 2016 19:34:07 GMT

Please accept the answer and/or upvote if this helped you