Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Ranking Data From Search Results into Deciles

MDSplunkNinja
Explorer
‎02-14-2023 03:01 PM

I have a table of data with values like this:


String         Numeric
Client 1      99.9

Client 2      99.2

Client 3      93.8

Client 4      89.0

Client 5      72.9

and so on for miles....

I would like to add a column which outputs Decile rank of the clients based on their numeric value.  Can you point me in the right direction please?

Thank you,

-MD

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 04:07 PM

Does this example work for you?

Before eventstats is just setting up example data

| makeresults count=143 
| streamstats c
| eval Client="Client ". c
| fields - _time c
| eval Numeric=random() % 1000 / 10
``` Logic from here to calculate deciles ```
| eventstats perc10(Numeric) as p10 perc20(Numeric) as p20 perc30(Numeric) as p30 perc40(Numeric) as p40 perc50(Numeric) as p50 perc60(Numeric) as p60 perc70(Numeric) as p70 perc80(Numeric) as p80 perc90(Numeric) as p90
``` Now position the client according to rank ```
| foreach 1 2 3 4 5 6 7 8 9 [ eval Rank=if(isnull(Rank) AND Numeric < 'p<<FIELD>>0', <<FIELD>>, Rank) ]
| fillnull Rank value=10
| fields - p*

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎02-14-2023 04:07 PM

Does this example work for you?

Before eventstats is just setting up example data

| makeresults count=143 
| streamstats c
| eval Client="Client ". c
| fields - _time c
| eval Numeric=random() % 1000 / 10
``` Logic from here to calculate deciles ```
| eventstats perc10(Numeric) as p10 perc20(Numeric) as p20 perc30(Numeric) as p30 perc40(Numeric) as p40 perc50(Numeric) as p50 perc60(Numeric) as p60 perc70(Numeric) as p70 perc80(Numeric) as p80 perc90(Numeric) as p90
``` Now position the client according to rank ```
| foreach 1 2 3 4 5 6 7 8 9 [ eval Rank=if(isnull(Rank) AND Numeric < 'p<<FIELD>>0', <<FIELD>>, Rank) ]
| fillnull Rank value=10
| fields - p*

 

Reply
Solved! Jump to solution

MDSplunkNinja
Explorer
‎02-15-2023 06:46 AM

Perfectly...Thank you @bowesmana !

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...