All Apps and Add-ons

Dynatrace Application Performance Management: How to replace subsearchs to make a chart using percentile?

BoumY
Explorer

Hi,

I'm currently working with data from Dynatrace and I have a field that contains responseTime(in milisecond). I would like to use the chart percX(Y) function to make a result like this :

Percent | time_Seconds
10% | 1s
20% | 2s
30% | 6s
40% | 7s
50% | 8.5s
60% | 9s
70% | 9.1s
80% | 9.6s
90% | 10s

So I did something like this to get the precedent result :

my search| eval Percent="10%" | chart perc10(responsetime) as time_Seconds over Percent |
append [my search |eval Percent="20%"| chart perc20(responsetime) as time_Seconds over Percent] |
append [my search |eval Percent="30%"| chart perc30(responsetime) as time_Seconds over Percent] |
append [my search |eval Percent="40%"| chart perc40(responsetime) as time_Seconds over Percent] |
append [my search |eval Percent="50%"| chart perc50(responsetime) as time_Seconds over Percent] |
append [my search |eval Percent="60%"| chart perc60(responsetime) as time_Seconds over Percent] |
append [my search |eval Percent="70%"| chart perc70(responsetime) as time_Seconds over Percent] |
append [my search |eval Percent="80%"| chart perc80(responsetime) as time_Seconds over Percent] |
append [my search |eval Percent="90%"| chart perc90(responsetime) as time_Seconds over Percent] |
eval time_Seconds = time_Seconds/1000

But using subsearches is not optimal and I have some trouble with it. Anyone knows how to do it in a better way? Thank you!

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Start with something like this, then reformat the results as needed with transpose or foreach.

   | stats 
    perc10(avgdiskreadpersec_last) as 10%,
    perc20(avgdiskreadpersec_last) as 20%
    perc30(avgdiskreadpersec_last) as 30%,
    perc40(avgdiskreadpersec_last) as 40%,
    perc50(avgdiskreadpersec_last) as 50%,
    perc60(avgdiskreadpersec_last) as 60%,
    perc70(avgdiskreadpersec_last) as 70%,
    perc80(avgdiskreadpersec_last) as 80%,
    perc90(avgdiskreadpersec_last) as 90%

The transpose version looks like this...

    | transpose
    | rename row1 as time_Seconds, column as Percent

View solution in original post

DalJeanis
SplunkTrust
SplunkTrust

Start with something like this, then reformat the results as needed with transpose or foreach.

   | stats 
    perc10(avgdiskreadpersec_last) as 10%,
    perc20(avgdiskreadpersec_last) as 20%
    perc30(avgdiskreadpersec_last) as 30%,
    perc40(avgdiskreadpersec_last) as 40%,
    perc50(avgdiskreadpersec_last) as 50%,
    perc60(avgdiskreadpersec_last) as 60%,
    perc70(avgdiskreadpersec_last) as 70%,
    perc80(avgdiskreadpersec_last) as 80%,
    perc90(avgdiskreadpersec_last) as 90%

The transpose version looks like this...

    | transpose
    | rename row1 as time_Seconds, column as Percent

BoumY
Explorer

Yes ! that's exactly it !

Thanks a lot,
Younes

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...