Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to get percentiles in pivots?

therockhead
Path Finder
‎04-07-2015 03:45 AM

Hi,

I'm attempting to port over some searches to pivots and data models for performance reasons. One issue I'm seeing is getting the percentiles. For example the old search may have something like 

| stats perc25(Duration) AS "25th Percentile", median(Duration) AS "Median", perc75(Duration) AS "75th Percentile", perc95(Duration) AS "95th Percentile"

Is this possible in pivots?

Thanks,
Bill

Tags (2)
Reply

tpflicke
Path Finder
‎09-21-2015 02:24 PM

The pivot command currently (v6.2.1) support the median but not other percentiles.
However, if you simply want to have the reports using datamodel acceleration rather than the drag and drop features of the pivot UI the you could use tstats. The tstats command will use the tsidx files of your accellerated datamodel and you can use perc, exactperc and upperperc.

| tstats p25(Duration) AS p25 p50(Duration) AS p50 p75(Duration) AS p75 from datamodel=SomeDataModel

BTW, for something more complex you might create a pivot via the UI, run it and inspect the job which gives you the tstats command which you can then modify / develop further.

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...