Splunk Search

Percentile 25 and Percentile 75 provides different result while using streamstats and stats

Kirantcs
Path Finder

Hello,

I have 3 values 15,26,18. Now assume my 18 is my latest value and i want to find p25 and p75 including the latest value by using all 3 values. If done i should one statistics with 2 column.

I tried to it by using stats and below is a picture.

Kirantcs_0-1600973423304.png

Now i verified the same via internet and found the values as below.

Kirantcs_1-1600973551058.pngKirantcs_2-1600973575356.png

 

Now i dont understaad why dont i get the same value while using streamstats, I use window=3 which shud consider all 3 value and since its streaming, shouldn't it just look at previous 3 values(current=t) and find p25 and p75?

Then why am i getting different values as below? Just look at the last row values.

Kirantcs_0-1600973141462.png

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I get the expected results when I use streamstats without the window option.

| makeresults 
| eval value="15,26,18" 
| makemv delim="," value 
| mvexpand value 
| fields - _time 
| streamstats p25(value) p75(value)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I get the expected results when I use streamstats without the window option.

| makeresults 
| eval value="15,26,18" 
| makemv delim="," value 
| mvexpand value 
| fields - _time 
| streamstats p25(value) p75(value)
---
If this reply helps you, Karma would be appreciated.

Kirantcs
Path Finder

Yes @richgalloway , care to explain how?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I can't explain it other that to say I tested several window values and only zero produced the expected results.  It's definitely non-intuitive.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...