- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- can i know the best95 and worst5 stats in splunk?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can i know the best95 and worst5 stats in splunk?
Hi,
I have written a query which gives me the list of durations of all the transactions.Now i need to calucalte the avg of top95 durations and avg of the last 5 durations . how do i do that in single query.
my query to list durations is.
sourcetype="data" "request OR response" | keepevicted=true transaction prod_id | top limit=100 duration
displays only the top 100 durations values . but i need the stats for avg of top 95 duration values and avg of last 5 duration values..
Please help..
thanx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi rakesh_498115
you can use the p
p<X>(Y) | perc<X>(Y)
This function returns the X-th percentile value of the field Y.
This example returns the 5th percentile value of a field "total":perc5(total)
http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/CommonStatsFunctions
cheers,
MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can combine any searches with append http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append and here is the string you need:
your search
| eventstats p5(duration) AS low_limit
| where duration > low_limit
| stats avg(duration) AS dur_low_avg
| append [
| eventstats p95(duration) AS max_limit
| where duration < max_limit
| stats avg(duration) AS dur_max_avg]
this will run for awhile depending on your amount of data, because it runs each search on it own and not at the same time. so thanks for your upvote and kudos 😉
cheers,
MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's also worth noticing that pX() is using APPROXIMATION not exact value when you have >1000 data points, see http://splunk-base.splunk.com/answers/44336/percentile-implementation
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do i get both the stats in single query ... ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| eventstats p95(duration) AS dur_limit | where duration < dur_limit | stats avg(duration)
should do just fine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not getting the desired result when i use perc..can you pls give me the query to calulcate the top 95 durations average and last 5 durations .
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
