Splunk Search

How to get the volume of events at a specific percentile?

efavreau
Motivator

Let's say you have 100 events, and each one increases in duration by 1 second. So event 1 is 1 second long and event 100 is 100 seconds long. If I do perc99(duration), I get the value of 99. How do I get the volume for that percentile? While "count" can provide me the count of total events, how could I demonstrate perc99(count)?

In this scenario, the expected result would be "1", as one event was at the value of the 99th percentile. My wish is to demonstrate this on a timechart; something similar to:

timechart perc99(duration) AS "99th Percentile" perc99(count) AS Volume

Ideas?AhOkay!

###

If this reply helps you, an upvote would be appreciated.
0 Karma
1 Solution

mayurr98
Super Champion

Percentiles, variance, population variance, sum of squares, and standard deviation all come to mind.

There is also a delta command if that is really what you want.

 | bin _time as Day span=1m | stats count by duration Day  | stats perc99(count) as "count", p99(duration) as "99th percentile" by Day | eval Day=strftime(Day,"%m/%d/%y %H:%M:%S")

Let me know if this query helps!

View solution in original post

mayurr98
Super Champion

Percentiles, variance, population variance, sum of squares, and standard deviation all come to mind.

There is also a delta command if that is really what you want.

 | bin _time as Day span=1m | stats count by duration Day  | stats perc99(count) as "count", p99(duration) as "99th percentile" by Day | eval Day=strftime(Day,"%m/%d/%y %H:%M:%S")

Let me know if this query helps!

Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...