The percentile aggregation function in Axiom Processing Language (APL) allows you to calculate the value below which a given percentage of data points fall. It’s particularly useful when you need to analyze distributions and want to summarize the data using specific thresholds, such as the 90th or 95th percentile. This function can be valuable in performance analysis, trend detection, or identifying outliers across large datasets.
You can apply the percentile function to various use cases, such as analyzing log data for request durations, OpenTelemetry traces for service latencies, or security logs to assess risk patterns.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the percentile function is referred to as perc or percentile. APL's percentile function works similarly, but the syntax is different. The main difference is that APL requires you to explicitly define the column on which you want to apply the percentile and the target percentile value.
['sample-http-logs']
| summarize percentile(req_duration_ms, 95)In ANSI SQL, you might use the PERCENTILE_CONT or PERCENTILE_DISC functions to compute percentiles. In APL, the percentile function provides a simpler syntax while offering similar functionality.
['sample-http-logs']
| summarize percentile(req_duration_ms, 95)Usage
Syntax
percentile(column, percentile)Parameters
- column: The name of the column to calculate the percentile on. This must be a numeric field.
- percentile: The target percentile value (between 0 and 100).
Returns
The function returns the value from the specified column that corresponds to the given percentile.
Use case examples
In log analysis, you can use the percentile function to identify the 95th percentile of request durations, which gives you an idea of the tail-end latencies of requests in your system.
Query
['sample-http-logs']
| summarize percentile(req_duration_ms, 95)Output
| percentile_req_duration_ms |
|---|
| 1200 |
This query calculates the 95th percentile of request durations, showing that 95% of requests take less than or equal to 1200ms.
For OpenTelemetry traces, you can use the percentile function to identify the 90th percentile of span durations for specific services, which helps to understand the performance of different services.
Query
['otel-demo-traces']
| where ['service.name'] == 'checkoutservice'
| summarize percentile(duration, 90)Output
| percentile_duration |
|---|
| 300ms |
This query calculates the 90th percentile of span durations for the checkoutservice, helping to assess high-latency spans.
In security logs, you can use the percentile function to calculate the 99th percentile of response times for a specific set of status codes, helping you focus on outliers.
Query
['sample-http-logs']
| where status == '500'
| summarize percentile(req_duration_ms, 99)Output
| percentile_req_duration_ms |
|---|
| 2500 |
This query identifies that 99% of requests resulting in HTTP 500 errors take less than or equal to 2500ms.
List of related aggregations
- avg: Use
avgto calculate the average of a column, which gives you the central tendency of your data. In contrast,percentileprovides more insight into the distribution and tail values. - min: The
minfunction returns the smallest value in a column. Use this when you need the absolute lowest value instead of a specific percentile. - max: The
maxfunction returns the highest value in a column. It’s useful for finding the upper bound, whilepercentileallows you to focus on a specific point in the data distribution. - stdev:
stdevcalculates the standard deviation of a column, which helps measure data variability. Whilestdevprovides insight into overall data spread,percentilefocuses on specific distribution points.