Re: how to get 90% of max execution time

avadhutha · ‎12-23-2022

I have a requirement to pull 90% of max execution time.

Ex: I have 10 requests for an hour and it's execution times as below. Out of which if I take max(Executation_time) I will get 10 sec but I want to give 10% leverage and consider max Time from 90% of ExecutionTimes.

I will be getting total number of executation details(10 in this ex) through a seach like `stats count(_raw) by Hour'. Now I have to take 10% record counts and neglect those number of records to get 90% of max Time

Tra. Executation_Time

1. 10 Sec

2. 9 Sec

3. 8 sec

4. 7 sec

5. 6 sec

6. 5sec

7. 4 sec

8. 3 sec

9. 2 sec

10. 1 sec

yuanliu · ‎12-24-2022

Not sure how to interpret "take 10% record counts and neglect those number of records to get 90% of max Time." So, I have make a blind guess: you want to count events whose Execution_Time is above 90% of maximum time. If so, eventstats is your friend.

| eventstats max(Execution_Time) as maxtime ``` max over entire search period ```
| where Execution_Time > 0.9 * maxtime
| stats count by Hour ``` assuming a field named Hour exists ```

how to get 90% of max execution time

subsearch

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI