I need to calculate 75th percentile by minutes
Time: 11:12 magnitude 3.4 Time: 11:12 magnitude 4.4 Time: 11:12 magnitude 3.9 Time: 11:15 magnitude 3.8 Time: 11:15 magnitude 2.4 Time: 11:15 magnitude 3.1 Time: 12:10 magnitude 3.6 Time: 12:11 magnitude 3.5 Time: 12:11 magnitude 4.4 Time: 12:11 magnitude 3.9
Try this:
base search | timechart span=1m p75(magnitude)
That's assuming your events are timestamped correctly and you have the magnitude field extracted.
magnitude
That looks for a number with optional decimal point.
It worked on above example file can you please explain what does expression in rex "\d+(.\d+) " is doing
Try this rex:
rex
rex "magnitude (?<magnitude>\d+(\.\d+)?)"
Verify that the field is extracted before adding the timechart.
timechart
thanks for quick reply, i tried below search but no good.
base search | rex field=_raw "magnitude (?) |" | timechart span=1m p75(response)
I get blank values in response column
