Splunk Search

How to get average response time (95%,99% and 100%)

Isaias_Garcia
Path Finder

I have the below data (response time) and I need to filter it from fastest to slowest response time and then get the following: Average Response Time (95%), Average Response Time(99%) and Average Response Time(100% ). What would be the right search query on this? I tried some suggestions here but cant get the right solutions.Please help.Thank you

Response_Time
0.625
2.133
2.773
5.191
2.471
2.124
2.066
0.795
1.239
2.958
6.197
2.582
0.779
1.63
2.029
2.653
0.98
2.975
6.814
6.661
0.963
2.064
0.966
1.56

vkari
New Member

index=myindex1
eventName=5000 --->have b(starting time and ending time ) and reference id
eventName=5001 --->have (starting time and ending time ) and reference id

here my condition if both event names - reference id are same then,
event 5000 stating time and event 5001 ending time and total duration of time and average time I need to show in dashboards
can you please provide query

0 Karma

Priya312
Explorer

Hi,

I'm also trying to get the best95, best96, best97, best98 and best99 stats for the response time avgs. Any luck on this?

0 Karma

AdsicSplunk
New Member

Hi @Isaias.Garcia,

Did you get any solution for your question? I am also having the same trouble. Could you please advise on this?

0 Karma

bwooden
Splunk Employee
Splunk Employee

Are you referring to the 95th percentile when you say average 95%?

If so, you can use the stats command's perc function (which may be abbreviated as p) along with average (avg), min and max functions. NB: All stats functions are listed here along with their description and usage notes: http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/CommonStatsFunctions

Putting them all together, you would end up with something like this (where ... represents your base search):

... | stats min(Response_Time) as RT_fastest max(Response_Time) as RT_slowest p95(Response_Time) as RT_p95 p99(Response_Time) as RT_p99 avg(Response_Time) as RT_avg

vijaysubramania
Path Finder

Thanks. I am able to get that in milliseconds but I want to convert the response time to Percent as well for reporting and compare it with earlier week, How to achieve that?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...