Getting Data In

How to get the percentile 90 of the response time in Splunk?

Subarna
Explorer

Hi Team

 I want to get the percentile 90 of the response time in splunk. Suppose I have the below response times. What is the query with which I can get the percentile 90 in Splunk

 

1.379
1.276
1.351
2.062
1.465
3.107
1.621
1.901
1.562
27.203

 

 

Please help on the same

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming the response times are stored in a field called 'response_time' that you could calculate that statistic using the p90 function in the stats command.

... | stats p90(response_time) as p90_response_time

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

Subarna
Explorer

hi @richgalloway 

Below are the response times. As per my understanding the 90th Percentile of the Response times should be 3.10 . But if I use the command u mentioned below it is coming as 5.51. Please help me to understand the calculation that is done to find out the 90th percentile.

1.379
1.276
1.351
2.062
1.465
3.107
1.621
1.901
1.562
27.203

0 Karma

bowesmana
SplunkTrust
SplunkTrust

An interesting point - as @richgalloway points out, it uses nearest rank method for perc(), but you will note a difference if you use exacperc90(x), which will return you 27.203

Looking at the interpolated method on that Wikiepedia page, you can see that

PC: percentile specified 0.10 0.25 0.50 0.75 0.90

N: number of scores1010101010
OR: PC×(N+1) / PC×(N−1)+11.1/1.92.75/3.255.5/5.58.25/7.759.9/9.1
LoRank: OR truncated1/12/35/58/79/9
HIRank: OR rounded up2/23/46/69/810/10

 

The HiRank gives you the 10/10 position for a 90th percentile, which in your example, seems rather counter-intuitive.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't know exactly how Splunk computes the perc90 number other than using the "Nearest Rank" algorithm, but the docs at https://docs.splunk.com/Documentation/Splunk/9.0.2/SearchReference/Aggregatefunctions#perc.26lt.3BX.... call it an estimate.  You can try the exactperc90 function to see if it gives a better result.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...