Solved: Non-integer percentiles?

yplambert · ‎06-24-2013

I would like to find the 99.99th percentile of a value.

The perc(Y) function expects X to be an integer 1-99.

Any ideas?

martin_mueller · ‎06-24-2013

Using p99.99(field) works fine for me:

index=_internal | timechart span=1h count | stats p99(count) p99.99(count) max(count)

Yields this:

  p99(count)  p99.99(count)  max(count)
1       6500          7000         7879

What Splunk version are you using?

martin_mueller · ‎06-24-2013

Using p99.99(field) works fine for me:

index=_internal | timechart span=1h count | stats p99(count) p99.99(count) max(count)

Yields this:

  p99(count)  p99.99(count)  max(count)
1       6500          7000         7879

What Splunk version are you using?

yplambert · ‎06-24-2013

You are right! I tried it and it didn't work, but I must have done something else wrong; it works fine for me now. Thanks!

joebensimo · ‎06-24-2013

Maybe filter for all values greater than the 99th percentile, and then take the 99th percentile of that:

| eventstats perc99(Y) as ninetynine
| where Y> ninetynine
| stats perc99(Y)

However, this won't be quite right in cases that you have more than one event with the 99th percentile value.

Non-integer percentiles?