Splunk Search

How to create a timechart of the percentage of users whose download times were above average for a period of time?

ateterine
Path Finder

Hi fellow Splunkers

I am trying to calculate a percentage of users whose download times were above average and create timechart from it.

I might be going in completely wrong direction, but I hit the wall and need help.

So far I have:

'search string goes here' event_name=video_heartbeat | 
timechart dc(user_id) as TotalUsers 
stdevp(chunk_load_time_ms) AS StDev 
avg(chunk_load_time_ms) AS Average |
eval StdevTop =  StDev + Average 

I now have total number of users and top value. I now need to find percentage of users who has chunk_load_time_ms value higher than StDevTop

Thank you

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try something like this (you would have to choose a span for your timechart)

your base search event_name=video_heartbeat | bucket span=1h _time | eventstats stdevp(chunk_load_time_ms) AS StDev
avg(chunk_load_time_ms) AS Average by _time | eval StdevTop = StDev + Average | eval UserOverAvg=if(chunk_load_time_ms>StdevTop ,user_id,null()) | timechart span=1h dc(user_id) as TotalUsers dc(UserOverAvg) as UserOverAvg | eval Percentage=round(UserOverAvg*100/TotalUsers,2) 

ateterine
Path Finder

Thanks! That seems like it does the trick. The challenge is that is ver slow. I've tried running this on the last 24hrs of data and it took over 1,5hrs. I cannot accelerate the saved report either...

Any suggestions on optimizing and streamlining the search to make it more efficient?

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...