Synopsis

Calculates the percentile of the values in a specified column of the search query results.

Syntax

percentile [percentage_value]

Required Arguments

percentage_value

Syntax: <character string>

Description: The value of a percentage

Optional Arguments

None

Description

A percentile is a measure used in statistics indicating the value below which a given percentage of observations in a group of observations fall.

The percentile remove the highest values when using order by VAL asc, and the lowest values when using order by VAL desc (it remove the

Note: percentile removes values from one side of the list of values list only).

only, therefore if needed, you may run list and percentile twice - once with order by asc, and then with order by desc.

Example 1:  

* in log.system audit | list process time | order by process time asc | percentile 95

From the events in system audit log, returns the percentile 95% of the events by column process time, by remove the 5% highest values

Example 2:  

timetoprcessRequest != null  in log.access | list timetoprcessRequest  | order by timetoprcessRequest  desc | percentile 50 | count | group by URL, timetoprcessRequest | order by timetoprcessRequest desc

From the events in access log, returns the percentile 50% of the events by column timetoprcessRequest, by remove the 50% lowest values. Then groups by the URL and timetoprcessRequest and sorts by timetoprcessRequest  descending.