Count elements from every percentile

kp_pl · ‎07-25-2024

My target is not only show proper percentiles but also count elements in every precentile . So the first step I did is:

index="oap"
| stats perc25(tt) as P25,
             perc50(tt) as P50,
             perc75(tt) as P75 by oper

It gives me expected values for each percentile - the first part is ready.
Then I figured out something like

| where tt>P75
| stats values(P75) count by oper

It adds additional column but only with data from one (75th) percentile. But how to prepare a query which returns count for each Percentil ?

yuanliu · ‎07-25-2024

Instead of stats, use eventstats.

index="oap"
| eventstats perc25(tt) as P25,
             perc50(tt) as P50,
             perc75(tt) as P75 by oper
| foreach P25 P50 P75
  [eval <<FIELD>>count = if(tt><<FIELD>>, 1, 0)]
| stats values(P*count) as P*count by oper P25 P50 P75

gcusello · ‎07-25-2024

Hi @kp_pl ,

sorry but I don't understand your request:

perc75(tt) is one of the calculated values, so why do you want to add a new column?

Could you share how you are waiting for results?

Ciao.

Giuseppe

kp_pl · ‎07-25-2024

Ok, will try to expain it ....

there are thousand of digits, of course values can repeat.

So first I want to divide them ( in that case) into quartile. In my case : 0-25, 25-50, 50-75,75-100. Then , and this is my problem, count how many values has every section/quartile. In my case I need 4 pairs : value<>quantity.

Is it more clear ...

Count elements from every percentile

stats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?