Re: How can I stats sparkline with percentile like...

Dewey_SH · ‎07-08-2022

There are logs with contents like [{timestamp: xxx, duraton: 5, url: "/foo1", status: 200}, {timestamp: xxx, duraton: 7, url: "/foo2", status: 200}, {duraton: 6, url: "/foo1", status: 200}...]

I'd like stats the throughput and latency with sparkline. Now I can get the avg sparkline, however, if there is a way to get the p50 sparkline, p90 sparkline or so, the avg latency sparkline might not be helpful enough.
Sample query is like below.

... earliest=-1d@d latest=@d | stats
sparkline(count, 5m) as throughput,
sparkline(avg(duration), 5m) as latency,
count as total_requests,
p50(duration) as duration_p50,
p90(duration) as duration_p90,
p99(duration) as duration_p99

SimonEvans · ‎06-08-2023

I would like to have sparklines for percentiles too. The aggregate functions documentation (Aggregate functions - Splunk Documentation) suggests percentile functions (exactperc<percentile>, perc<percentile> and upperperc<percentile>) can be used with sparkline like the following, however I get the error 'Error in 'stats' command: Invalid aggregation function for sparkline.' when I try to use it.

... | stats ... sparkline(perc95(duration), 5m) as duration_p95 ...

I have resorted to having sparklines for max, avg and min and calculating overall percentile values like the following:

... | stats sparkline(max(duration), 5m) AS duration_max,
perc95(duration) AS duration_p95_overall,
sparkline(avg(duration), 5m) AS duration_avg,
sparkline(min(duration), 5m) AS duration_min

PickleRick · ‎06-08-2023

That's because stats doesn't do sparklines. You can use sparkline with chart command or some dashboard elements.

How can I stats sparkline with percentile like p50, p90, p99?

stats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio