Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Insert 90th Percentile as Horizontal Line on Timechart

danielrusso1
Path Finder
‎05-04-2012 07:19 AM

New to Splunk, need some help.

I would like to build a timechart that does the following:

  1. Graphs average response over a timeframe in hourly increments
  2. Inserts a horizontal line representing the 90th percentile value for response time over the entire period.

I have the average response time taken care of I think:

| timechart avg(time_taken) span=1h

Any ideas?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

csharp_splunk
Splunk Employee
Splunk Employee
‎05-04-2012 08:26 AM

We're having a debate about this on the IRC channel right now. This can be accomplished through a subsearch, which may provide potentially more accurate results, but I think this is just as accurate:

 * | eventstats avg(time_taken) as ttavg | eventstats p90(ttavg) as p90avg | timechart avg(time_taken) max(p90avg)

View solution in original post

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎05-04-2012 09:03 AM

The subsearch approach looks something like this, but it will perform (at least) twice as poorly as csharp's solution -- mainly due to having to run the main search twice. And, it's not been proven to be any more accurate. 

_main_search_terms_ | timechart avg(time_taken) as avg 
| appendcols 
    [ _main_search_terms_again_ 
       | stats perc90(gers_SQL_lapse) as p90temp 
       | fields p90temp 
    ] 
| eventstats first(p90temp) as p90 
| fields - p90temp

Unless you can find a demonstrable difference in accuracy, use csharp's solution. We'd be interested to hear results with your data if there is a substantial difference in the results.

0 Karma
Reply
Solved! Jump to solution
Solution

csharp_splunk
Splunk Employee
Splunk Employee
‎05-04-2012 08:26 AM

We're having a debate about this on the IRC channel right now. This can be accomplished through a subsearch, which may provide potentially more accurate results, but I think this is just as accurate:

 * | eventstats avg(time_taken) as ttavg | eventstats p90(ttavg) as p90avg | timechart avg(time_taken) max(p90avg)
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...