How to create a field of percentiles of a stats fi...

dragut · ‎06-06-2018

I have constructed a responsetime field using eval resp=endtime-startime,now I want to get a list of percentiles from 10% to 90% for this new resp field for further process. How to construct such field and also its accompanying field of number of percentiles from 10 to 90?
Thanks.

adonio · ‎06-07-2018

maybe try .... | stats perc<int>(resp) as resp_<int>_percentile ....
replace <int> with your desired percentile
read here more:
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Stats
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Aggregatefunctions
hope it helps

DalJeanis · ‎06-07-2018

Yes, @dragut, just do this with 9 different percentiles and you get your desired answer.

| stats perc10(resp) as resp_perc10 
    perc20(resp) as resp_perc20 
    perc30(resp) as resp_perc30 
     ....
    perc90(resp) as resp_perc90

dragut · ‎06-07-2018

My problem is I want to construct a new field say resp_Percen which contains nine values of 10 to 90 percentile of the response time. Is there a way to consolidate the nine different fields from eval into one field so that I could use linear regression and other machine learning kit tools for furthere processing?

How to create a field of percentiles of a stats field

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout