Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ranking Data From Search Results into Deciles

MDSplunkNinja
Explorer
‎02-14-2023 03:01 PM

I have a table of data with values like this:


String         Numeric
Client 1      99.9

Client 2      99.2

Client 3      93.8

Client 4      89.0

Client 5      72.9

and so on for miles....

I would like to add a column which outputs Decile rank of the clients based on their numeric value.  Can you point me in the right direction please?

Thank you,

-MD

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 04:07 PM

Does this example work for you?

Before eventstats is just setting up example data

| makeresults count=143 
| streamstats c
| eval Client="Client ". c
| fields - _time c
| eval Numeric=random() % 1000 / 10
``` Logic from here to calculate deciles ```
| eventstats perc10(Numeric) as p10 perc20(Numeric) as p20 perc30(Numeric) as p30 perc40(Numeric) as p40 perc50(Numeric) as p50 perc60(Numeric) as p60 perc70(Numeric) as p70 perc80(Numeric) as p80 perc90(Numeric) as p90
``` Now position the client according to rank ```
| foreach 1 2 3 4 5 6 7 8 9 [ eval Rank=if(isnull(Rank) AND Numeric < 'p<<FIELD>>0', <<FIELD>>, Rank) ]
| fillnull Rank value=10
| fields - p*

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 04:07 PM

Does this example work for you?

Before eventstats is just setting up example data

| makeresults count=143 
| streamstats c
| eval Client="Client ". c
| fields - _time c
| eval Numeric=random() % 1000 / 10
``` Logic from here to calculate deciles ```
| eventstats perc10(Numeric) as p10 perc20(Numeric) as p20 perc30(Numeric) as p30 perc40(Numeric) as p40 perc50(Numeric) as p50 perc60(Numeric) as p60 perc70(Numeric) as p70 perc80(Numeric) as p80 perc90(Numeric) as p90
``` Now position the client according to rank ```
| foreach 1 2 3 4 5 6 7 8 9 [ eval Rank=if(isnull(Rank) AND Numeric < 'p<<FIELD>>0', <<FIELD>>, Rank) ]
| fillnull Rank value=10
| fields - p*

 

Reply
Solved! Jump to solution

MDSplunkNinja
Explorer
‎02-15-2023 06:46 AM

Perfectly...Thank you @bowesmana !

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...