I am not trying to write a custom search command from the docs I've read on that topic. I rather would like to write my own linear interpolation percentile functions to be called after stats rather than the splunk versions that are a light weight percentile calculator and typically will miscalculate the true percentile. Does anyone have their own stat function they have written or is there something in the search command docs I am missing?
If I understand your question correctly, you're looking to add new user-defined functions to the existing
stats search command. Unfortunately, you can't directly do this today. The custom search command functionality is available, but you would wind up writing your own
stats-like command -- call it
mystats. Custom search commands give you a lot of extension flexibility, but in this example you'd have to re-implement as much of
stats as was needed to make
This came up recently in context of the
eval command - http://splunk-base.splunk.com/answers/26399/can-eval-evaluate-cosines?page=1#26406 . This is another case where it could be worth your trouble to file an Enhancement Request on the subject.
So there is another thread we have going on addressing this issue. The first is that percentiles are being calculated with nearest rank method which is on the level of 8th grade math and for what we do, we need linear interpolation. Second is that it is currently incorrect when doing this as it is taking the next lower value than it should. 1,2,3 returns a median of 1 instead of 2, - 1,2,3,4 will return 2 instead of 2.5. I think we are going to do an ER for either new, more precise percentile functions or ask the existing functions to be corrected. I'm working on the custom search for now.
Did you able to solve this issue. I am also facing issues while calculating the percentile. I have changed the method to interpolated. But still results are incorrect. For eg when calculating over two values i am getting response time higher than 90th percentile.