Splunk Search
Highlighted

95th Percentile for this Query

New Member

Hello: I am extremely new to Splunk and was given a task by my manager. He provided the query below and wanted to know the 95th percentile of the results.

sourcetype=W3SVC_Log s_computername="*PRD*" cs_uri_stem="*/LMS/*" time_taken>10000 | stats avg(time_taken) as AvgTimetakenMS count(cs_uri_stem) as Count by cs_uri_stem | sort -Count | head 20

Would this be the correct query to achieve his objective?:

sourcetype=W3SVC_Log s_computername="*PRD*" cs_uri_stem="*/LMS/*" time_taken>10000 | stats avg(time_taken) as AvgTimetakenMS count(cs_uri_stem) as Count by cs_uri_stem | stats perc95(time_taken) | sort -Count | head 20

Thank you!

0 Karma
Highlighted

Re: 95th Percentile for this Query

Esteemed Legend

There is a function for that. See here:
https://answers.splunk.com/answers/99632/what-does-perc95-and-all-those-stats-functions-perc.html

So I would think this (but it really depends on exactly what he meant):

sourcetype=W3SVC_Log s_computername="*PRD*" cs_uri_stem="*/LMS/*" time_taken>10000
| stats avg(time_taken) as AvgTimetakenMS perc95(time_taken) count(cs_uri_stem) as Count by cs_uri_stem
| sort -Count
| head 20

View solution in original post

0 Karma
Highlighted

Re: 95th Percentile for this Query

New Member

Thank you woodcock! This looks great. He was looking for the 95th percentile of the time taken.

0 Karma
Highlighted

Re: 95th Percentile for this Query

Path Finder

If you want to calculate the 95th percentile of the time taken for each URL where time_taken>10000 and then display a table with the URL, average time taken, count and 95th percentile you can use the following:

sourcetype=W3SVC_Log s_computername="PRD" cs_uri_stem="/LMS/"  time_taken>10000 
| eventstats perc95(time_taken) as Perc95 by cs_uri_stem 
| stats avg(time_taken) as AvgTimetakenMS count(cs_uri_stem) as Count by cs_uri_stem,Perc95 
| sort -Count | head 20 
| eval AvgTimetakenMS = round(AvgTimetakenMS,0) 
| table cs_uri_stem,AvgTimetakenMS,Count,Perc95

Again, if that's the intended result... you may need to clarify 95th percentile of what.

0 Karma
Highlighted

Re: 95th Percentile for this Query

New Member

Thank you adigrio! He was looking for the 95th percentile of the time taken. Your query works great and the table is awesome.

0 Karma