Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get value which is coming at 95 position (%...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get the value that is coming at 95 position (%) in Splunk.
I have n values coming from stats command, after that, I need to display a value which is at position 95 (%).
Example below:
I got these results (total 17 for this example) by using | stats count by Responsetime | sort Responsetime ( all sorted in ascending order)
Responsetime count
11 1
12 183
13 13968
14 81599
15 104666
16 70917
17 43351
18 26854
19 17698
20 12432
21 9401
22 7561
23 6139
24 5175
25 4581
26 4087
27 3899
So manually if I have to look for value at 95 position (%) then I will total results ((17) * 95 position (%))/100 = 16 (value at 16 place out of 17), so value would be 26 in above example I need to display. I am stuck that how Splunk will calculate that position , I reached till the point where I got 16th is the place but now the challenge is how to tell Splunk to display value which is at 16th place.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your search
| stats count by Responsetime
| sort Responsetime
| rename COMMENT as "this is your result. from here, the logic"
| streamstats count as line_no
| eventstats perc95(eval(max(line_no))) as perc95Pos
| where line_no <= perc95Pos
| table Responsetime,count
| tail 1
Hi, folks.
maybe this is it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your search
| stats count by Responsetime
| sort Responsetime
| rename COMMENT as "this is your result. from here, the logic"
| streamstats count as line_no
| eventstats perc95(eval(max(line_no))) as perc95Pos
| where line_no <= perc95Pos
| table Responsetime,count
| tail 1
Hi, folks.
maybe this is it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this one works like pro, thankyou so much 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ashikuma your exact query from the example and question is not clear. However, if you want to calculate and show the 95th percentile value rounded off to integer you can try the following using perc statistical function:
<yourExistingSearchThatGivesAboveResults>
| stats perc95(Responsetime) as per95RespTime
| eval per95RespTime=round(per95RespTime,0)
Following is a run anywhere example to show the results with 95th percentile value associated with each row (using eventstats instead of stats) so that you can perform further calculations. (Commands from | makeresults till | fields Responsetime count are used to generate dummy data as per your question.
| makeresults
| eval data="11 1;12 183;13 13968;14 81599;15 104666;16 70917;17 43351;18 26854;19 17698;20 12432;21 9401;22 7561;23 6139;24 5175;25 4581;26 4087;27 3899"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval Responsetime=mvindex(data,0), count=mvindex(data,1)
| fields - _time data
| fields Responsetime count
| eventstats perc95(Responsetime) as per95RespTime
| eval per95RespTime=round(per95RespTime,0)
| makeresults | eval message= "Happy Splunking!!!"
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
