Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

grouping requests by percentile

joe06031990
Communicator
‎07-21-2021 10:11 PM

Good morning, 

 

I am trying to group the count by percentile however all is showing in 0% which is in correct: 

source="C:\\inetpub\\logs\\LogFiles\\*" host="WIN-699VGN4SK4U" index="main" |bucket span=1d _time| eventstats p75(count) as p75 p95(count) as p95 p99(count) as p99
| eval Percentile = case(count >= p75, "75%", count >= p95, "95%", count >= p99, "99%", 1=1, "0%")
| stats count by Percentile

Not really sure how to fix, any help would be greatly appreciated.

 

Thanks

 

Joe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 02:44 AM

You have not included _time in the stats so you will get a single result

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2021 11:40 PM

count isn't created in your search - does it already exist in your events?

Also, you should change the order in the case statement since over 95% is also over 75% so would be tagged as being over 75% before it gets to evaluate whether it is over 95%

0 Karma
Reply
Solved! Jump to solution

joe06031990
Communicator
‎07-22-2021 12:57 AM

Thanks for your reply, I have re-wrote my search:

 

index=test sourcetype=test |bucket span=1m _time
| stats count as total
| eventstats perc99(total) as p99, perc95(total),perc75(total) as p75| eval Percentile = case(total >= p99, "99%", total >= p95, "95%", total >= p75, "75%", 1=1, "0%")
| stats sum(total) as "Totals" by Percentile
| rename Totals as "Total Transactions"

 

however this is now only showing the 99% and not 75% or 99%.

 

Any thoughts?

 

Thanks

 

Joe

Tags (2)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 02:44 AM

You have not included _time in the stats so you will get a single result

Reply
Solved! Jump to solution

joe06031990
Communicator
‎07-22-2021 02:20 AM

It also looks like it is just selecting the first Percentile in the case statement no matter what it is.

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...