Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I stats sparkline with percentile like p50, p90, p99?

Dewey_SH
Observer
‎07-08-2022 04:57 AM

There are logs with contents like [{timestamp: xxx, duraton: 5,  url: "/foo1", status: 200}, {timestamp: xxx, duraton: 7,  url: "/foo2", status: 200}, {duraton: 6,  url: "/foo1", status: 200}...]

I'd like stats the throughput and latency with sparkline. Now I can get the avg sparkline, however, if there is a way to get the p50 sparkline, p90 sparkline or so, the avg latency sparkline might not be helpful enough.
Sample query is like below. 

...  earliest=-1d@d latest=@d | stats
    sparkline(count, 5m) as throughput,
    sparkline(avg(duration), 5m) as latency,
    count as total_requests,
    p50(duration) as duration_p50,
    p90(duration) as duration_p90,
    p99(duration) as duration_p99

Labels (1)
Labels
Tags (1)
0 Karma
Reply

SimonEvans
New Member
‎06-08-2023 10:43 PM

I would like to have sparklines for percentiles too. The aggregate functions documentation (Aggregate functions - Splunk Documentation) suggests percentile functions (exactperc<percentile>, perc<percentile> and upperperc<percentile>) can be used with sparkline like the following, however I get the error 'Error in 'stats' command: Invalid aggregation function for sparkline.' when I try to use it.

... | stats ... sparkline(perc95(duration), 5m) as duration_p95 ...

I have resorted to having sparklines for max, avg and min and calculating overall percentile values like the following:

... | stats sparkline(max(duration), 5m) AS duration_max,
perc95(duration) AS duration_p95_overall,
sparkline(avg(duration), 5m) AS duration_avg,
sparkline(min(duration), 5m) AS duration_min

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-08-2023 10:51 PM

That's because stats doesn't do sparklines. You can use sparkline with chart command or some dashboard elements.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...