Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

percentile 99th count

joe06031990
Communicator
‎10-10-2021 03:50 AM

Hi,

I'm trying to build a search to find the count, min,max and Avg within the 99th percentile, all work apart from the count, not sure if I am missing something:

index="main" source="C:\\inetpub\\logs\\LogFiles\\*" |bin span=1d _time | eval ResponseTime= time_taken/1000000
| eval responseTime= time_taken/1000000
| timechart span=1mon p99(responseTime) as 99thPercentile
| stats min(99thPercentile) as p99responseTimemin max(99thPercentile) as p99responseTimemax avg(99thPercentile) as p99responseTimeavg count(99thPercentile) by _time

 

Thanks

 

Joe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-10-2021 02:37 PM

@joe06031990 

You've got two timespans in your search, but only one is being used, i.e. the 1mon. I assume you are trying to get the daily 99th percentile and then get the min/avg/max/count over the month.

This will do that

index="main" source="C:\\inetpub\\logs\\LogFiles\\*" 
| eval responseTime= time_taken/1000000
| timechart span=1d p99(responseTime) as 99thPercentile count
| bin span=1mon _time
| stats min(99thPercentile) as p99responseTimemin max(99thPercentile) as p99responseTimemax avg(99thPercentile) as p99responseTimeavg sum(count) as count by _time

 this assumes

  • the count you are looking for is the count of events across the month
  • the month is by calendar month, i.e. if you run a 30 day search on 11th October, you will get the monthly figures from September 12 in a September summary and the monthly figures for October based on the first 11 days October.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-10-2021 02:37 PM

@joe06031990 

You've got two timespans in your search, but only one is being used, i.e. the 1mon. I assume you are trying to get the daily 99th percentile and then get the min/avg/max/count over the month.

This will do that

index="main" source="C:\\inetpub\\logs\\LogFiles\\*" 
| eval responseTime= time_taken/1000000
| timechart span=1d p99(responseTime) as 99thPercentile count
| bin span=1mon _time
| stats min(99thPercentile) as p99responseTimemin max(99thPercentile) as p99responseTimemax avg(99thPercentile) as p99responseTimeavg sum(count) as count by _time

 this assumes

  • the count you are looking for is the count of events across the month
  • the month is by calendar month, i.e. if you run a 30 day search on 11th October, you will get the monthly figures from September 12 in a September summary and the monthly figures for October based on the first 11 days October.

 

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-11-2021 03:13 AM

No, mate, that's overcomplicating things.

You don't normally use timechart with bin. That's what timechart is for. So | bin | timechart is kinda pointless.

If you want to do a monthly max/avg/whatever of daily values, it's enough to do

<your search> | timechart span=1d whatever_stats_you_want
| timechart span=1m whatever_stats_you_want
0 Karma
Reply
Solved! Jump to solution

joe06031990
Communicator
‎10-11-2021 12:48 AM

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-10-2021 04:02 AM

I'm not fully sure what you're trying to achieve but | timechart | stats by _time is almost surely not the way to go. With timechart you calculate some stats values and spread them over points in time then in stats by _time you're trying to calculate stats from single values (for each of those time points).

So I suppose you're getting 1 as count. And it's pretty understandable. And all the other stats also don't make much sense because avg() from one value is just this value. Same for other stat functions.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...