- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Percentile values over time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have a query to look at the number of times a user does an event, and then get different percentiles of these. I'd however like to change this to track it over time. I've tried adding in timechart but it has not worked.
Do yo ukow if this Is this an easy thing to do?
Thanks
index=beacon <search query> | chart count by ID | stats perc99(count), perc1(count), perc50(count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for me:
index=beacon | bin _time as Day span=1m | stats count by ID Day | stats perc99(count) as P99, perc50(count) as P50 by Day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked for me:
index=beacon | bin _time as Day span=1m | stats count by ID Day | stats perc99(count) as P99, perc50(count) as P50 by Day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Percentile of what, precisely?
The code you posted returns, of all the total counts of all the users, what are the values for count that represent the user at the 99th percentile, the 50th and the 1st.
If you wanted to know what the 99th percentile count was for each day, then you could do this
index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day
... and then you could calculate the AVERAGE of the daily 99th percentiles ...
| stats avg(P99) as avg99thPercentile
...or if you wanted to know what the 99th percentile count was regarding the set of "event count per day per user" for the entire data set, you could do this...
index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day | stats perc99(count)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
This is what I needed
index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try the following (timechart will require _time field which is getting removed by your chart query):
index=beacon <search query>
| chart count min(_time) as _time by ID
| timechart perc99(count) as Perc99 perc1(count) as Perc1 perc50(count) as Perc50
PS: span will be defaulted based on your Time Range selection or else you would need to introduce the same for chart and timechart.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ewanbrown... Were you able to try this out. Did the query work for you?
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for replying. It didn't seem to work. The 99 percentile value seems to get bigger the further back in time you went.
This worked for me though
index=beacon Platform=android | bin _time as Day span=1m | stats count by INID Day | stats perc99(count) as P99, perc50(count) as P50 by Day
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
