Splunk Search

How to get the volume of events at a specific percentile?


Let's say you have 100 events, and each one increases in duration by 1 second. So event 1 is 1 second long and event 100 is 100 seconds long. If I do perc99(duration), I get the value of 99. How do I get the volume for that percentile? While "count" can provide me the count of total events, how could I demonstrate perc99(count)?

In this scenario, the expected result would be "1", as one event was at the value of the 99th percentile. My wish is to demonstrate this on a timechart; something similar to:

timechart perc99(duration) AS "99th Percentile" perc99(count) AS Volume



If this reply helps you, an upvote would be appreciated.
0 Karma

Re: How to get the volume of events at a specific percentile?


Percentiles, variance, population variance, sum of squares, and standard deviation all come to mind.

There is also a delta command if that is really what you want.

 | bin _time as Day span=1m | stats count by duration Day  | stats perc99(count) as "count", p99(duration) as "99th percentile" by Day | eval Day=strftime(Day,"%m/%d/%y %H:%M:%S")

Let me know if this query helps!

View solution in original post