How to get the value that is coming at 95 position (%) in Splunk.
I have n values coming from stats command, after that, I need to display a value which is at position 95 (%).
Example below:
I got these results (total 17 for this example) by using | stats count by Responsetime | sort Responsetime ( all sorted in ascending order)
Responsetime count
11 1
12 183
13 13968
14 81599
15 104666
16 70917
17 43351
18 26854
19 17698
20 12432
21 9401
22 7561
23 6139
24 5175
25 4581
26 4087
27 3899
So manually if I have to look for value at 95 position (%) then I will total results ((17) * 95 position (%))/100 = 16 (value at 16 place out of 17), so value would be 26 in above example I need to display. I am stuck that how Splunk will calculate that position , I reached till the point where I got 16th is the place but now the challenge is how to tell Splunk to display value which is at 16th place.
your search
| stats count by Responsetime
| sort Responsetime
| rename COMMENT as "this is your result. from here, the logic"
| streamstats count as line_no
| eventstats perc95(eval(max(line_no))) as perc95Pos
| where line_no <= perc95Pos
| table Responsetime,count
| tail 1
Hi, folks.
maybe this is it?
your search
| stats count by Responsetime
| sort Responsetime
| rename COMMENT as "this is your result. from here, the logic"
| streamstats count as line_no
| eventstats perc95(eval(max(line_no))) as perc95Pos
| where line_no <= perc95Pos
| table Responsetime,count
| tail 1
Hi, folks.
maybe this is it?
this one works like pro, thankyou so much 🙂
@ashikuma your exact query from the example and question is not clear. However, if you want to calculate and show the 95th percentile value rounded off to integer you can try the following using perc statistical function:
<yourExistingSearchThatGivesAboveResults>
| stats perc95(Responsetime) as per95RespTime
| eval per95RespTime=round(per95RespTime,0)
Following is a run anywhere example to show the results with 95th percentile value associated with each row (using eventstats
instead of stats
) so that you can perform further calculations. (Commands from | makeresults
till | fields Responsetime count
are used to generate dummy data as per your question.
| makeresults
| eval data="11 1;12 183;13 13968;14 81599;15 104666;16 70917;17 43351;18 26854;19 17698;20 12432;21 9401;22 7561;23 6139;24 5175;25 4581;26 4087;27 3899"
| makemv data delim=";"
| mvexpand data
| makemv data delim=" "
| eval Responsetime=mvindex(data,0), count=mvindex(data,1)
| fields - _time data
| fields Responsetime count
| eventstats perc95(Responsetime) as per95RespTime
| eval per95RespTime=round(per95RespTime,0)