Hi fellow Splunkers
I am trying to calculate a percentage of users whose download times were above average and create timechart from it.
I might be going in completely wrong direction, but I hit the wall and need help.
So far I have:
'search string goes here' event_name=video_heartbeat |
timechart dc(user_id) as TotalUsers
stdevp(chunk_load_time_ms) AS StDev
avg(chunk_load_time_ms) AS Average |
eval StdevTop = StDev + Average
I now have total number of users and top value. I now need to find percentage of users who has chunk_load_time_ms value higher than StDevTop
Thank you
Try something like this (you would have to choose a span for your timechart)
your base search event_name=video_heartbeat | bucket span=1h _time | eventstats stdevp(chunk_load_time_ms) AS StDev
avg(chunk_load_time_ms) AS Average by _time | eval StdevTop = StDev + Average | eval UserOverAvg=if(chunk_load_time_ms>StdevTop ,user_id,null()) | timechart span=1h dc(user_id) as TotalUsers dc(UserOverAvg) as UserOverAvg | eval Percentage=round(UserOverAvg*100/TotalUsers,2)
Thanks! That seems like it does the trick. The challenge is that is ver slow. I've tried running this on the last 24hrs of data and it took over 1,5hrs. I cannot accelerate the saved report either...
Any suggestions on optimizing and streamlining the search to make it more efficient?
Thanks