Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

grouping requests by percentile

joe06031990
Communicator
‎07-21-2021 10:11 PM

Good morning, 

 

I am trying to group the count by percentile however all is showing in 0% which is in correct: 

source="C:\\inetpub\\logs\\LogFiles\\*" host="WIN-699VGN4SK4U" index="main" |bucket span=1d _time| eventstats p75(count) as p75 p95(count) as p95 p99(count) as p99
| eval Percentile = case(count >= p75, "75%", count >= p95, "95%", count >= p99, "99%", 1=1, "0%")
| stats count by Percentile

Not really sure how to fix, any help would be greatly appreciated.

 

Thanks

 

Joe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 02:44 AM

You have not included _time in the stats so you will get a single result

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2021 11:40 PM

count isn't created in your search - does it already exist in your events?

Also, you should change the order in the case statement since over 95% is also over 75% so would be tagged as being over 75% before it gets to evaluate whether it is over 95%

0 Karma
Reply
Solved! Jump to solution

joe06031990
Communicator
‎07-22-2021 12:57 AM

Thanks for your reply, I have re-wrote my search:

 

index=test sourcetype=test |bucket span=1m _time
| stats count as total
| eventstats perc99(total) as p99, perc95(total),perc75(total) as p75| eval Percentile = case(total >= p99, "99%", total >= p95, "95%", total >= p75, "75%", 1=1, "0%")
| stats sum(total) as "Totals" by Percentile
| rename Totals as "Total Transactions"

 

however this is now only showing the 99% and not 75% or 99%.

 

Any thoughts?

 

Thanks

 

Joe

Tags (2)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-22-2021 02:44 AM

You have not included _time in the stats so you will get a single result

Reply
Solved! Jump to solution

joe06031990
Communicator
‎07-22-2021 02:20 AM

It also looks like it is just selecting the first Percentile in the case statement no matter what it is.

Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...