Splunk Search

grouping requests by percentile

joe06031990
Communicator

Good morning, 

 

I am trying to group the count by percentile however all is showing in 0% which is in correct: 

source="C:\\inetpub\\logs\\LogFiles\\*" host="WIN-699VGN4SK4U" index="main" |bucket span=1d _time| eventstats p75(count) as p75 p95(count) as p95 p99(count) as p99
| eval Percentile = case(count >= p75, "75%", count >= p95, "95%", count >= p99, "99%", 1=1, "0%")
| stats count by Percentile

Not really sure how to fix, any help would be greatly appreciated.

 

Thanks

 

Joe

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You have not included _time in the stats so you will get a single result

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

count isn't created in your search - does it already exist in your events?

Also, you should change the order in the case statement since over 95% is also over 75% so would be tagged as being over 75% before it gets to evaluate whether it is over 95%

0 Karma

joe06031990
Communicator

Thanks for your reply, I have re-wrote my search:

 

index=test sourcetype=test |bucket span=1m _time
| stats count as total
| eventstats perc99(total) as p99, perc95(total),perc75(total) as p75| eval Percentile = case(total >= p99, "99%", total >= p95, "95%", total >= p75, "75%", 1=1, "0%")
| stats sum(total) as "Totals" by Percentile
| rename Totals as "Total Transactions"

 

however this is now only showing the 99% and not 75% or 99%.

 

Any thoughts?

 

Thanks

 

Joe

Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You have not included _time in the stats so you will get a single result

joe06031990
Communicator

It also looks like it is just selecting the first Percentile in the case statement no matter what it is.

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...