- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Average of durations for best 50% transactions dai...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Is it possible to find the Average of only the best 50% transactions(i.e top 50% of less transaction times).
I can hardcode the exact value in query , wher i can limit sort by duration to a exact number.
like *|sort limit=
But the problem is i wouldn't know hw many transactions i would have that day.
So i need a query which can produce the average of best 50% transactions irrespective of total transaction number
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I kinda found the answer for this:
eventstats count as evnts | streamstats current=t count as stms | where stms<(0.5*evnts) | stats avg(duration) as best
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Just saw that you've posted your own solution, but since I worked out something different, I thought I'd share it anyway. This search is based on calculating the average execution time for all execution times that are lower than the median execution time - which should be around the 50% mark. Assuming you have an extracted field called ET for Execution Time;
sourcetype=<your_sourcetype> | eventstats median(ET) AS mET | where ET < mET | stats avg(ET) values(mET)
Please let me know if there is any difference in performance (or worse - results)
UPDATE: FYI, I used execution times straight from the logs in my testing, rather than computed transaction durations, if that has any bearing for you.
UPDATE2: well, if you want some other percentage say 25, you can use p25(X), instead of median(X).
I still don't know what your full search looks like, but the snippet you posted in your original answer does not give me any valid results. The following example uses transaction durations for website visitors, and shows the average of the best/shortest 75% as a single value.
sourcetype=access_combined | transaction JSESSIONID | eventstats p75(duration) AS dur_limit | where duration < dur_limit | stats avg(duration)
Please post your full search query, as I'm interested in testing it as well, thanks.
regards,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See Update2 above
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot kristian. I have tested this also and i kind of get similiar results.
But using median rstricts it to the 50% only, but using streamstats and evenstants i can change it to say 65 or 70 and get those results also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I kinda found the answer for this:
eventstats count as evnts | streamstats current=t count as stms | where stms<(0.5*evnts) | stats avg(duration) as best
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this search really give you what you want? Have you tested it on a known set of events where you can manually verify the results?
I'm not too familiar with streamstats, but it seems to me that you're just looking at event counts, not duration times (apart from the last stats statement).
Did you test the suggestion I posted? (It's tested and verified to produce correct results)
/kristian
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
