Hi

I'm using the  function PERC95 (p95) and PERC99 (p99) to retrieve request duration/response time for requests from a serverfarm (frontend servers).

As far as I have understood these functions should give you the MAX value of a set of values, so in a thought scenario if you have 100 requests during 1 second the p95 should retrieve 95 of the requests with the lowest response time and out of these 95 requests it will pick out the highest response time as the p95 value.

A thought scenario would be that the response time value of these 95 request were in the range of 50ms to 300ms. The p5 value would then be 300ms.

I've used searches with p95 and p99 and thought this was correct but looking at the events I get out of both p95 and p99 the response time does not make any sense as this "300ms" value cannot be found, and very often I cannot find any close value to this number at all.

Anyone that could enligthen me here in relation to the output I'm getting?

Example of search:

index=test host=server sourcetype=app_httpd_access AND "example"
| bin _time span=1s
| stats p99(A_1) as RT_p99_ms p95(A_1) as RT_p95_ms count by _time
| eval RT_p95_ms=round(RT_p95_ms/1000,2)
| eval RT_p99_ms=round(RT_p99_ms/1000,2)

p95 value output: 341,87ms

Total number of values returned during 1 second for p95: 15

Response time output in ms (I was expecting value 341,87 on the TOP here but it's not present) :