Splunk Search

Percentile 25 and Percentile 75 provides different result while using streamstats and stats

Kirantcs
Path Finder

Hello,

I have 3 values 15,26,18. Now assume my 18 is my latest value and i want to find p25 and p75 including the latest value by using all 3 values. If done i should one statistics with 2 column.

I tried to it by using stats and below is a picture.

Kirantcs_0-1600973423304.png

Now i verified the same via internet and found the values as below.

Kirantcs_1-1600973551058.pngKirantcs_2-1600973575356.png

 

Now i dont understaad why dont i get the same value while using streamstats, I use window=3 which shud consider all 3 value and since its streaming, shouldn't it just look at previous 3 values(current=t) and find p25 and p75?

Then why am i getting different values as below? Just look at the last row values.

Kirantcs_0-1600973141462.png

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I get the expected results when I use streamstats without the window option.

| makeresults 
| eval value="15,26,18" 
| makemv delim="," value 
| mvexpand value 
| fields - _time 
| streamstats p25(value) p75(value)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I get the expected results when I use streamstats without the window option.

| makeresults 
| eval value="15,26,18" 
| makemv delim="," value 
| mvexpand value 
| fields - _time 
| streamstats p25(value) p75(value)
---
If this reply helps you, Karma would be appreciated.

Kirantcs
Path Finder

Yes @richgalloway , care to explain how?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I can't explain it other that to say I tested several window values and only zero produced the expected results.  It's definitely non-intuitive.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...