Splunk Search

Percentile values over time

ewanbrown
Path Finder

Hi

I have a query to look at the number of times a user does an event, and then get different percentiles of these. I'd however like to change this to track it over time. I've tried adding in timechart but it has not worked.

Do yo ukow if this Is this an easy thing to do?

Thanks

index=beacon <search query> | chart count by ID | stats perc99(count), perc1(count), perc50(count)
0 Karma
1 Solution

ewanbrown
Path Finder

This worked for me:

index=beacon | bin _time as Day span=1m | stats count by ID Day | stats perc99(count) as P99, perc50(count) as P50 by Day

View solution in original post

0 Karma

ewanbrown
Path Finder

This worked for me:

index=beacon | bin _time as Day span=1m | stats count by ID Day | stats perc99(count) as P99, perc50(count) as P50 by Day

0 Karma

DalJeanis
Legend

Percentile of what, precisely?

The code you posted returns, of all the total counts of all the users, what are the values for count that represent the user at the 99th percentile, the 50th and the 1st.

If you wanted to know what the 99th percentile count was for each day, then you could do this

 index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day

... and then you could calculate the AVERAGE of the daily 99th percentiles ...

| stats avg(P99) as avg99thPercentile

...or if you wanted to know what the 99th percentile count was regarding the set of "event count per day per user" for the entire data set, you could do this...

 index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day | stats perc99(count) 
0 Karma

ewanbrown
Path Finder

Thanks!

This is what I needed

  index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day
0 Karma

niketn
Legend

Please try the following (timechart will require _time field which is getting removed by your chart query):

index=beacon <search query> 
| chart count min(_time) as _time by ID 
| timechart perc99(count) as Perc99 perc1(count) as Perc1 perc50(count) as Perc50

PS: span will be defaulted based on your Time Range selection or else you would need to introduce the same for chart and timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@ewanbrown... Were you able to try this out. Did the query work for you?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ewanbrown
Path Finder

Thanks for replying. It didn't seem to work. The 99 percentile value seems to get bigger the further back in time you went.

This worked for me though

index=beacon Platform=android | bin _time as Day span=1m | stats count by INID Day | stats perc99(count) as P99, perc50(count) as P50 by Day
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...