https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80955#M2888 <P>yep</P> <P><CODE>index="abc_prod_apache_access" ST=200 NOT (host="abc-xxx01.xyz.prod") | stats avg(US) as AverageResponseTime by host | bucket AverageResponseTime span=100</CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bucket">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bucket</A></P> <P>UPDATE---------------------------</P> <P>well, if the US field is a number of milliseconds already then the bucket span is correct. If the US field is a number of seconds then you'll want to use span="0.1" instead. </P> <P>As for the overall report, this does pretty much what you asked for. Granted you'll probably want to end up with a <CODE>| sort AverageResponseTime</CODE> on the end. </P> <P>With that search you'll end up with a table where each row is a host, and the AverageResponseTime field will be things like "0.2-0.3", "0.3-0.4". </P> <P>As a slightly different report, you might be interested in this report which is nicely chartable as a split-by column chart, where the bucketed response time intervals are on the x-axis and it's a frequency chart split by host... </P> <P><CODE>index="abc_prod_apache_access" ST=200 NOT (host="abc-xxx01.xyz.prod") | bucket AverageResponseTime span="100" | chart count over AverageResponseTime by host</CODE></P> Fri, 23 Sep 2011 18:43:57 GMT sideview 2011-09-23T18:43:57Z https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80954#M2887 <P>index="abc_prod_apache_access" ST=200 NOT (host="abc-xxx01.xyz.prod") | stats avg(US) as AverageResponseTime by host</P> <P>Is there a way to bucket AverageResponseTime above in buckets of 100ms?</P> Mon, 28 Sep 2020 09:54:28 GMT https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80954#M2887 gogetsplunk 2020-09-28T09:54:28Z https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80955#M2888 <P>yep</P> <P><CODE>index="abc_prod_apache_access" ST=200 NOT (host="abc-xxx01.xyz.prod") | stats avg(US) as AverageResponseTime by host | bucket AverageResponseTime span=100</CODE></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bucket">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Bucket</A></P> <P>UPDATE---------------------------</P> <P>well, if the US field is a number of milliseconds already then the bucket span is correct. If the US field is a number of seconds then you'll want to use span="0.1" instead. </P> <P>As for the overall report, this does pretty much what you asked for. Granted you'll probably want to end up with a <CODE>| sort AverageResponseTime</CODE> on the end. </P> <P>With that search you'll end up with a table where each row is a host, and the AverageResponseTime field will be things like "0.2-0.3", "0.3-0.4". </P> <P>As a slightly different report, you might be interested in this report which is nicely chartable as a split-by column chart, where the bucketed response time intervals are on the x-axis and it's a frequency chart split by host... </P> <P><CODE>index="abc_prod_apache_access" ST=200 NOT (host="abc-xxx01.xyz.prod") | bucket AverageResponseTime span="100" | chart count over AverageResponseTime by host</CODE></P> Fri, 23 Sep 2011 18:43:57 GMT https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80955#M2888 sideview 2011-09-23T18:43:57Z https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80956#M2889 <P>the below answer is incorrect. Here is the correct syntax:</P> <P>index="abc_prod_apache_access" ST=200 NOT (host="abc-xxx01.xyz.prod") | bucket _time span=100ms | stats avg(US)as AverageResponseTime by _time host</P> Mon, 28 Sep 2020 12:16:57 GMT https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80956#M2889 sf-mike 2020-09-28T12:16:57Z https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80957#M2890 <P>Note that his question doesn't have to do with the _time field, but with the US field. So bucketing by time isn't what was asked for. I've updated my answer below and I still believe it's at least close to what they're looking for.</P> Thu, 16 Aug 2012 22:46:27 GMT https://community.splunk.com/t5/Deployment-Architecture/Bucket-Group-results/m-p/80957#M2890 sideview 2012-08-16T22:46:27Z