95th Percentile for this Query

Hello: I am extremely new to Splunk and was given a task by my manager. He provided the query below and wanted to know the 95th percentile of the results.

``````sourcetype=W3SVC_Log s_computername="*PRD*" cs_uri_stem="*/LMS/*" time_taken>10000 | stats avg(time_taken) as AvgTimetakenMS count(cs_uri_stem) as Count by cs_uri_stem | sort -Count | head 20
``````

Would this be the correct query to achieve his objective?:

``````sourcetype=W3SVC_Log s_computername="*PRD*" cs_uri_stem="*/LMS/*" time_taken>10000 | stats avg(time_taken) as AvgTimetakenMS count(cs_uri_stem) as Count by cs_uri_stem | stats perc95(time_taken) | sort -Count | head 20
``````

Thank you!

Re: 95th Percentile for this Query

There is a function for that. See here:

So I would think this (but it really depends on exactly what he meant):

``````sourcetype=W3SVC_Log s_computername="*PRD*" cs_uri_stem="*/LMS/*" time_taken>10000
| stats avg(time_taken) as AvgTimetakenMS perc95(time_taken) count(cs_uri_stem) as Count by cs_uri_stem
| sort -Count
``````
Re: 95th Percentile for this Query

Thank you woodcock! This looks great. He was looking for the 95th percentile of the time taken.

Re: 95th Percentile for this Query

If you want to calculate the 95th percentile of the time taken for each URL where time_taken>10000 and then display a table with the URL, average time taken, count and 95th percentile you can use the following:

``````sourcetype=W3SVC_Log s_computername="PRD" cs_uri_stem="/LMS/"  time_taken>10000
| eventstats perc95(time_taken) as Perc95 by cs_uri_stem
| stats avg(time_taken) as AvgTimetakenMS count(cs_uri_stem) as Count by cs_uri_stem,Perc95
| sort -Count | head 20
| eval AvgTimetakenMS = round(AvgTimetakenMS,0)
| table cs_uri_stem,AvgTimetakenMS,Count,Perc95
``````

Again, if that's the intended result... you may need to clarify 95th percentile of what.

Re: 95th Percentile for this Query

Thank you adigrio! He was looking for the 95th percentile of the time taken. Your query works great and the table is awesome.