Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count elements from every percentile

kp_pl
Path Finder
‎07-25-2024 06:04 AM

My target is not only show proper percentiles but also count elements in every precentile . So the first step I did is:

index="oap"
| stats perc25(tt) as P25,
             perc50(tt) as P50,
             perc75(tt) as P75 by oper


It gives me expected values for each percentile - the first part is ready.
Then I figured out something like

| where tt>P75
| stats values(P75) count by oper


It adds additional column but only with data from one (75th) percentile. But how to prepare a query which returns count for each Percentil ?

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎07-25-2024 11:17 AM

Instead of stats, use eventstats.

index="oap"
| eventstats perc25(tt) as P25,
             perc50(tt) as P50,
             perc75(tt) as P75 by oper
| foreach P25 P50 P75
  [eval <<FIELD>>count = if(tt><<FIELD>>, 1, 0)]
| stats values(P*count) as P*count by oper P25 P50 P75
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2024 09:25 AM

Hi @kp_pl ,

sorry but I don't understand your request:

perc75(tt) is one of the calculated values, so why do you want to add a new column?

Could you share how you are waiting for results?

Ciao.

Giuseppe

0 Karma
Reply

kp_pl
Path Finder
‎07-25-2024 11:11 AM

Ok, will try to expain it ....

 

there are thousand of digits, of course values can repeat.

So first I want to  divide them ( in that case) into quartile. In my case : 0-25, 25-50, 50-75,75-100. Then , and this is my problem, count how many values has every section/quartile. In my case I need 4 pairs : value<>quantity. 

Is it more clear ... 

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...