Hi,
I have written a query which gives me the list of durations of all the transactions.Now i need to calucalte the avg of top95 durations and avg of the last 5 durations . how do i do that in single query.
my query to list durations is.
sourcetype="data" "request OR response" | keepevicted=true transaction prod_id | top limit=100 duration
displays only the top 100 durations values . but i need the stats for avg of top 95 duration values and avg of last 5 duration values..
Please help..
thanx
hi rakesh_498115
you can use the p
p<X>(Y) | perc<X>(Y)
This function returns the X-th percentile value of the field Y.
This example returns the 5th percentile value of a field "total":perc5(total)
http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/CommonStatsFunctions
cheers,
MuS
you can combine any searches with append http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Append and here is the string you need:
your search
| eventstats p5(duration) AS low_limit
| where duration > low_limit
| stats avg(duration) AS dur_low_avg
| append [
| eventstats p95(duration) AS max_limit
| where duration < max_limit
| stats avg(duration) AS dur_max_avg]
this will run for awhile depending on your amount of data, because it runs each search on it own and not at the same time. so thanks for your upvote and kudos 😉
cheers,
MuS
It's also worth noticing that pX() is using APPROXIMATION not exact value when you have >1000 data points, see http://splunk-base.splunk.com/answers/44336/percentile-implementation
How do i get both the stats in single query ... ??
| eventstats p95(duration) AS dur_limit | where duration < dur_limit | stats avg(duration)
should do just fine
I am not getting the desired result when i use perc..can you pls give me the query to calulcate the top 95 durations average and last 5 durations .