topic Re: How to seperate status based on response time values ? in Splunk Search

How to seperate status based on response time values ?

karthi2809 — Tue, 01 Aug 2017 12:46:24 GMT

I need only amber and severe but i am not getting any result

base search|eval responseTime=TransactionEndtime-TransactionStartTime|eval responseTime=round((responseTime/1000),3)| stats avg(responseTime) as "avgResponseTime" by Category,Verb|eval respTimeStatus=if(avgResponseTime>15,"25",(if(avgResponseTime>=7 AND avgResponseTime<=15,"15","5"))) |rangemap field=respTimeStatus Low=0-10 Amber=11-20 Severe=21-30|stats values(range) as Status values(avgResponseTime) as avgResponseTime by Category,Verb|Where (Status="Amber" OR Status="Severe")

Re: How to seperate status based on response time values ?

richgalloway — Tue, 01 Aug 2017 16:42:01 GMT

The rangemap command expects numeric values, but you have text values. Try removing the quotation marks from your if statement. Also, consider using case instead of nested ifs as it's easier to read.

Re: How to seperate status based on response time values ?

DalJeanis — Tue, 01 Aug 2017 17:28:07 GMT

Try this - implemented @somesoni2's suggestions, removed the redundant second test against 15, which must always be true, removed the redundant final stats command in favor of just renaming the range field, also set final | where to lower case.

base search
    | eval responseTime=TransactionEndtime-TransactionStartTime
    | eval responseTime=round((responseTime/1000),3)
    | stats avg(responseTime) as "avgResponseTime" by Category,Verb
    | eval respTimeStatus=case(avgResponseTime>15,25, avgResponseTime>=7,15, true(),5 ) 
    | rangemap field=respTimeStatus Low=0-10 Amber=11-20 Severe=21-30
    | rename range as Status
    | where (Status="Amber" OR Status="Severe")