Splunk Search

How to return exact percentile values in a Splunk search?

rameshlpatel
Communicator

Hi,

I have an issue with percentile functions provided by SPLUNK.

Example: I am getting count by last 7 days as :

11,12,13,14,16,18,22

If I am asking for 90th perc of above value, it's always showing me 22 as a value, not in between like 20 or 21, or if I expect the 80th percentile, it's giving me 18, not 19 or 20. This means it's taking data from the result set, not in between and I'm expecting exact percentiles. Could you please help me to know how we could achieve this in splunk ?

I tried all functions provided by Splunk like perc, p, exactperc etc. but results are not changing.

Tags (2)

martin_mueller
SplunkTrust
SplunkTrust

I'm pretty sure that both perc() and exactperc() use the Nearest Rank method: https://en.wikipedia.org/wiki/Percentile#The_Nearest_Rank_method
The difference appears to be that for high-cardinality fields perc() might not be accurate for sake of performance so you can use exactperc() to force Splunk to be accurate (within the Nearest Rank method) without regard for expensive computations.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...