Solved: Need to Change Search to Add 90th Percentile to th...

tkwaller · ‎02-03-2014

Hello

index=tt Reserve OrderIntegration | transaction dye maxspan=30s maxpause=10s startswith="Begin Reserve" endswith="End Reserve" | bucket time span=24h | timechart avg(duration) as Duration | eventstats p90(Duration) as AvgDuration_90

This is the base search that I have created and it works but I need to change the search so the "eventstats p90(Duration) as AvgDuration_90" can be transacted to the bucket so I can use earliest=-30d. Then I need to add earliest=-1h to the "timechart avg(duration) as Duration" portion of the search, so I thought I could use a subsearch but I have been unable to get it to work correctly.

Essentially I need the 90th percentile to span back 30 days but the average duration to span the last hour.

Any ideas how this can be completed easily?

Thanks so very much

sideview · ‎02-04-2014

Taking the 90th percentile of an hourly average, is a pretty arbitrary statistic and quite probably a meaningless one if you asked a statistician. I am not one.

I think this search will give you what you need.

index=tt Reserve OrderIntegration  
| transaction dye maxspan=30s maxpause=10s startswith="Begin Reserve" endswith="End Reserve" 
| eval lastHourDuration=if(_time>relative_time(_time,"-1h"),duration,null())
| stats perc90(duration) avg(lastHourDuration)

View solution in original post

sideview · ‎02-04-2014

Taking the 90th percentile of an hourly average, is a pretty arbitrary statistic and quite probably a meaningless one if you asked a statistician. I am not one.

I think this search will give you what you need.

index=tt Reserve OrderIntegration  
| transaction dye maxspan=30s maxpause=10s startswith="Begin Reserve" endswith="End Reserve" 
| eval lastHourDuration=if(_time>relative_time(_time,"-1h"),duration,null())
| stats perc90(duration) avg(lastHourDuration)

tkwaller · ‎02-04-2014

Actually I think I figured that part out. Gonna mark this as the correct answer. Thank you much for the help!

tkwaller · ‎02-04-2014

What would be the best way to chart this as a visualization might be kinda nice

tkwaller · ‎02-04-2014

No problem, I thought that was the case but wanted to double check. I can edit to use specific time if needed.

sideview · ‎02-04-2014

Sorry I just assumed you'd use the timeRangePicker to set the timerange to "last 30 days". You can have more fine grained control using the advanced modes of the TimeRangePicker too.

tkwaller · ‎02-04-2014

can you tell me how the time frames work with this search? where is the 30 days defined for this search? I can see how the hour span works but I dont understand where the 30 days span is defined.

sideview · ‎02-04-2014

Gotcha. So to restate you want to take all the hourly averages going back 30 days and then get the 90th percentile of them. And the average duration from the last hour has to come along for the ride.

I think we're there. Or almost. 😃

How about this.

index=tt Reserve OrderIntegration | transaction dye maxspan=30s maxpause=10s startswith="Begin Reserve" endswith="End Reserve" | eval lastHourDuration=if(_time>relative_time(_time,"-1h"),duration,null()) | bin _time span=1h | eventstats avg(duration) as avgDuration by _time | stats perc90(avgDuration) avg(lastHourDuration)

tkwaller · ‎02-04-2014

I realize the meaningless stats but what I am looking for is the 90th percentile average over 30 days compared to the hourly average of the duration

Need to Change Search to Add 90th Percentile to the Bucketed Items

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life