Splunk Search

How can I stats sparkline with percentile like p50, p90, p99?

Dewey_SH
Observer

There are logs with contents like [{timestamp: xxx, duraton: 5,  url: "/foo1", status: 200}, {timestamp: xxx, duraton: 7,  url: "/foo2", status: 200}, {duraton: 6,  url: "/foo1", status: 200}...]

I'd like stats the throughput and latency with sparkline. Now I can get the avg sparkline, however, if there is a way to get the p50 sparkline, p90 sparkline or so, the avg latency sparkline might not be helpful enough.
Sample query is like below. 

...  earliest=-1d@d latest=@d | stats
    sparkline(count, 5m) as throughput,
    sparkline(avg(duration), 5m) as latency,
    count as total_requests,
    p50(duration) as duration_p50,
    p90(duration) as duration_p90,
    p99(duration) as duration_p99

Labels (1)
Tags (1)
0 Karma

SimonEvans
New Member

I would like to have sparklines for percentiles too. The aggregate functions documentation (Aggregate functions - Splunk Documentation) suggests percentile functions (exactperc<percentile>, perc<percentile> and upperperc<percentile>) can be used with sparkline like the following, however I get the error 'Error in 'stats' command: Invalid aggregation function for sparkline.' when I try to use it.

... | stats ... sparkline(perc95(duration), 5m) as duration_p95 ...

I have resorted to having sparklines for max, avg and min and calculating overall percentile values like the following:

... | stats sparkline(max(duration), 5m) AS duration_max,
perc95(duration) AS duration_p95_overall,
sparkline(avg(duration), 5m) AS duration_avg,
sparkline(min(duration), 5m) AS duration_min

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

That's because stats doesn't do sparklines. You can use sparkline with chart command or some dashboard elements.

0 Karma
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...