Splunk Search

Percentile values over time

ewanbrown
Path Finder

Hi

I have a query to look at the number of times a user does an event, and then get different percentiles of these. I'd however like to change this to track it over time. I've tried adding in timechart but it has not worked.

Do yo ukow if this Is this an easy thing to do?

Thanks

index=beacon <search query> | chart count by ID | stats perc99(count), perc1(count), perc50(count)
0 Karma
1 Solution

ewanbrown
Path Finder

This worked for me:

index=beacon | bin _time as Day span=1m | stats count by ID Day | stats perc99(count) as P99, perc50(count) as P50 by Day

View solution in original post

0 Karma

ewanbrown
Path Finder

This worked for me:

index=beacon | bin _time as Day span=1m | stats count by ID Day | stats perc99(count) as P99, perc50(count) as P50 by Day

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Percentile of what, precisely?

The code you posted returns, of all the total counts of all the users, what are the values for count that represent the user at the 99th percentile, the 50th and the 1st.

If you wanted to know what the 99th percentile count was for each day, then you could do this

 index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day

... and then you could calculate the AVERAGE of the daily 99th percentiles ...

| stats avg(P99) as avg99thPercentile

...or if you wanted to know what the 99th percentile count was regarding the set of "event count per day per user" for the entire data set, you could do this...

 index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day | stats perc99(count) 
0 Karma

ewanbrown
Path Finder

Thanks!

This is what I needed

  index=beacon <search query> | bin _time as Day span=1d | stats count by ID Day| stats perc99(count) as P99 by Day
0 Karma

niketn
Legend

Please try the following (timechart will require _time field which is getting removed by your chart query):

index=beacon <search query> 
| chart count min(_time) as _time by ID 
| timechart perc99(count) as Perc99 perc1(count) as Perc1 perc50(count) as Perc50

PS: span will be defaulted based on your Time Range selection or else you would need to introduce the same for chart and timechart.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@ewanbrown... Were you able to try this out. Did the query work for you?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ewanbrown
Path Finder

Thanks for replying. It didn't seem to work. The 99 percentile value seems to get bigger the further back in time you went.

This worked for me though

index=beacon Platform=android | bin _time as Day span=1m | stats count by INID Day | stats perc99(count) as P99, perc50(count) as P50 by Day
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...