Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does perc95 require all the raw data for the entire interval?

ddrillic
Ultra Champion
‎06-16-2019 03:50 PM

Perc95 is becoming more and more popular with our executives. We wonder whether we need to have all the raw data in order to calculate it.
So, let's say we know what it is for January and next we need to know the value for January and February.
Do we need all the raw data for January and February? or we can somehow capture whatever is needed from January in a summary index and calculate based on that and the raw data for February the value for both months together.

For clarity about the perc95's definition - what does perc95 and all those stats functions perc*

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-17-2019 01:56 AM

Hi @ddrillic,

The percX is based on the distribution of your results based on how many times each value appeared. If you save percXfrom January in a summary index for example you won't be able to use it to build the percX over January-February unless you knew the total number of count per value for January.

That being said, if you want to use summary indexing to improve performance for perc90 then you will need to save the count per value per month. With that you can take the count per value for January, February, sum it up and then use the perc90 on it to get the exact results.

Let me know if that helps.

Cheers,
David

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-17-2019 01:56 AM

Hi @ddrillic,

The percX is based on the distribution of your results based on how many times each value appeared. If you save percXfrom January in a summary index for example you won't be able to use it to build the percX over January-February unless you knew the total number of count per value for January.

That being said, if you want to use summary indexing to improve performance for perc90 then you will need to save the count per value per month. With that you can take the count per value for January, February, sum it up and then use the perc90 on it to get the exact results.

Let me know if that helps.

Cheers,
David

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎06-17-2019 08:19 AM

Very interesting David.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎07-17-2019 10:58 AM

Thanks for accepting ! Happy Splunking 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...