Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does perc95 require all the raw data for the entire interval?

ddrillic
Ultra Champion
‎06-16-2019 03:50 PM

Perc95 is becoming more and more popular with our executives. We wonder whether we need to have all the raw data in order to calculate it.
So, let's say we know what it is for January and next we need to know the value for January and February.
Do we need all the raw data for January and February? or we can somehow capture whatever is needed from January in a summary index and calculate based on that and the raw data for February the value for both months together.

For clarity about the perc95's definition - what does perc95 and all those stats functions perc*

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-17-2019 01:56 AM

Hi @ddrillic,

The percX is based on the distribution of your results based on how many times each value appeared. If you save percXfrom January in a summary index for example you won't be able to use it to build the percX over January-February unless you knew the total number of count per value for January.

That being said, if you want to use summary indexing to improve performance for perc90 then you will need to save the count per value per month. With that you can take the count per value for January, February, sum it up and then use the perc90 on it to get the exact results.

Let me know if that helps.

Cheers,
David

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-17-2019 01:56 AM

Hi @ddrillic,

The percX is based on the distribution of your results based on how many times each value appeared. If you save percXfrom January in a summary index for example you won't be able to use it to build the percX over January-February unless you knew the total number of count per value for January.

That being said, if you want to use summary indexing to improve performance for perc90 then you will need to save the count per value per month. With that you can take the count per value for January, February, sum it up and then use the perc90 on it to get the exact results.

Let me know if that helps.

Cheers,
David

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎06-17-2019 08:19 AM

Very interesting David.

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎07-17-2019 10:58 AM

Thanks for accepting ! Happy Splunking 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...