perc(), upperperc() and exactperc()

Definition

perc(), upperperc() and exactperc() return the percentile value of the selected numeric table column.

Command Description

perc()

Returns a value that represents the threshold of approximate values for the given percentile.

upperperc()

Returns the approximate upper bound for given percentile when there are more than 1000 values in the column. If there are less than 1000 values available, upperperc() returns the same value as perc()

exactperc()

Returns the exact percentile value.

The exactperc() aggregation may cause interpreter to consume a large amount of memory. It may affect how long it takes a search to complete.

You can use perc(), upperperc() and exactperc() with transform commands that support aggregations.

Examples

There are two ways to use perc(), upperperc() and exactperc(): perc(<value>, <percentile>) and perc<percentile>(<value>). Use values between 0 and 100 to define the percentile. The value can be a decimal.

Currently, the format perc(<value>, <percentile>) doesn’t work. See the issue on GitHub.

perc()

The following example shows the approximate threshold for price column in sales_inventory index. The query uses percentile 90.

%dpl
index=sales_inventory earliest="01/01/2021:00:00:00"
| rex4j field=_raw "price=(?<price>\d+)"

| stats perc90(price)
example of perc command

upperperc()

The following example returns the approximate upper bound for price column with percentile 90 in sales_inventory index.

%dpl
index=sales_inventory earliest="01/01/2021:00:00:00"
| rex4j field=_raw "price=(?<price>\d+)"

| stats upperperc90(price)
example of upperperc command

exactperc()

The following example returns the exact percentile for price column in sales_inventory index. The query uses percentile 90.

%dpl
index=sales_inventory earliest="01/01/2021:00:00:00"
| rex4j field=_raw "price=(?<price>\d+)"

| stats exactperc90(price)
example of exactperc function

Further Reading