Splunk Search

How to get value which is coming at 95 position (%) in Splunk

Explorer

How to get the value that is coming at 95 position (%) in Splunk.

I have n values coming from stats command, after that, I need to display a value which is at position 95 (%).
Example below:

I got these results (total 17 for this example) by using | stats count by Responsetime | sort Responsetime ( all sorted in ascending order)

Responsetime    count
11  1
12  183
13  13968
14  81599
15  104666
16  70917
17  43351
18  26854
19  17698
20  12432
21  9401
22  7561
23  6139
24  5175
25  4581
26  4087
27  3899

So manually if I have to look for value at 95 position (%) then I will total results ((17) * 95 position (%))/100 = 16 (value at 16 place out of 17), so value would be 26 in above example I need to display. I am stuck that how Splunk will calculate that position , I reached till the point where I got 16th is the place but now the challenge is how to tell Splunk to display value which is at 16th place.

Tags (2)
0 Karma
1 Solution

Ultra Champion
your search
| stats count by Responsetime 
| sort Responsetime
| rename COMMENT as "this is your result. from here, the logic"
| streamstats count as line_no
| eventstats perc95(eval(max(line_no))) as perc95Pos
| where line_no <= perc95Pos
| table Responsetime,count
| tail 1

Hi, folks.
maybe this is it?

View solution in original post

0 Karma

Ultra Champion
your search
| stats count by Responsetime 
| sort Responsetime
| rename COMMENT as "this is your result. from here, the logic"
| streamstats count as line_no
| eventstats perc95(eval(max(line_no))) as perc95Pos
| where line_no <= perc95Pos
| table Responsetime,count
| tail 1

Hi, folks.
maybe this is it?

View solution in original post

0 Karma

Explorer

this one works like pro, thankyou so much 🙂

0 Karma

SplunkTrust
SplunkTrust

@ashikuma your exact query from the example and question is not clear. However, if you want to calculate and show the 95th percentile value rounded off to integer you can try the following using perc statistical function:

<yourExistingSearchThatGivesAboveResults>
| stats perc95(Responsetime) as per95RespTime
| eval per95RespTime=round(per95RespTime,0)

Following is a run anywhere example to show the results with 95th percentile value associated with each row (using eventstats instead of stats) so that you can perform further calculations. (Commands from | makeresults till | fields Responsetime count are used to generate dummy data as per your question.

| makeresults 
| eval data="11 1;12 183;13 13968;14 81599;15 104666;16 70917;17 43351;18 26854;19 17698;20 12432;21 9401;22 7561;23 6139;24 5175;25 4581;26 4087;27 3899" 
| makemv data delim=";" 
| mvexpand data 
| makemv data delim=" " 
| eval Responsetime=mvindex(data,0), count=mvindex(data,1)
| fields - _time data
| fields Responsetime count
| eventstats perc95(Responsetime) as per95RespTime
| eval per95RespTime=round(per95RespTime,0)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma