Getting Data In

How to get the percentile 90 of the response time in Splunk?

Subarna
Explorer

Hi Team

 I want to get the percentile 90 of the response time in splunk. Suppose I have the below response times. What is the query with which I can get the percentile 90 in Splunk

 

1.379
1.276
1.351
2.062
1.465
3.107
1.621
1.901
1.562
27.203

 

 

Please help on the same

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming the response times are stored in a field called 'response_time' that you could calculate that statistic using the p90 function in the stats command.

... | stats p90(response_time) as p90_response_time

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

Subarna
Explorer

hi @richgalloway 

Below are the response times. As per my understanding the 90th Percentile of the Response times should be 3.10 . But if I use the command u mentioned below it is coming as 5.51. Please help me to understand the calculation that is done to find out the 90th percentile.

1.379
1.276
1.351
2.062
1.465
3.107
1.621
1.901
1.562
27.203

0 Karma

bowesmana
SplunkTrust
SplunkTrust

An interesting point - as @richgalloway points out, it uses nearest rank method for perc(), but you will note a difference if you use exacperc90(x), which will return you 27.203

Looking at the interpolated method on that Wikiepedia page, you can see that

PC: percentile specified 0.10 0.25 0.50 0.75 0.90

N: number of scores1010101010
OR: PC×(N+1) / PC×(N−1)+11.1/1.92.75/3.255.5/5.58.25/7.759.9/9.1
LoRank: OR truncated1/12/35/58/79/9
HIRank: OR rounded up2/23/46/69/810/10

 

The HiRank gives you the 10/10 position for a 90th percentile, which in your example, seems rather counter-intuitive.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't know exactly how Splunk computes the perc90 number other than using the "Nearest Rank" algorithm, but the docs at https://docs.splunk.com/Documentation/Splunk/9.0.2/SearchReference/Aggregatefunctions#perc.26lt.3BX.... call it an estimate.  You can try the exactperc90 function to see if it gives a better result.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...