topic Re: How to use Eval greater than, less than for a duration and Count the values in Splunk Search

How to use Eval greater than, less than for a duration and Count the values

amunag439 — Tue, 09 Jul 2019 17:55:38 GMT

I'm calculating the time difference between two events by using Transaction and Duration. Below is the query that I used to get the duration between two events Model and Response

host=* sourcetype=** source="*/example.log" "Model*" OR "Response*"
 | transaction traceId startswith="Model" endswith="Response" 
 | table traceId duration _time

I want to get counts of transactions where duration>1, duration<1 and the total count in the same table. I was able to do it individually in separate queries using where clause and eval. But was not successful when I combined them. The individual query that works for me is

"Model List*" OR "Response Code*"
| transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=duration | where less_dur > 1
| stats count(less_dur)

Query that doesnt work me is

"Model List*" OR "Response Code*"
| transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=duration | where less_dur > 1 | eval more_dur=duration | where more_dur < 1
| stats count(less_dur), count(more_dur), count

Re: How to use Eval greater than, less than for a duration and Count the values

cmerriman — Wed, 30 Sep 2020 01:16:07 GMT

So the reason that wouldn't work is because you're calculating less_dur and then filtering when it's less than 1. THEN you create more_dur, but the duration is already always less than 1. you would need to do both evals before the where statements.

Re: How to use Eval greater than, less than for a duration and Count the values

amunag439 — Tue, 09 Jul 2019 18:44:45 GMT

@cmerriman My eval is based on the duration values here. So how do I achieve it?

Re: How to use Eval greater than, less than for a duration and Count the values

tiagofbmm — Tue, 09 Jul 2019 18:55:08 GMT

I think there is a logical loop here. You're looking for duration>1 and then duration <1 and want to have the number of each of those.

How about

 "Model List*" OR "Response Code*"
 | transaction traceId startswith="Model List" endswith="Response Code" | eval less_dur=if(duration>1,1,0), moe_dur=if(duration<1,1,0)  | stats sum(less_dur), sum(more_dur), count

Re: How to use Eval greater than, less than for a duration and Count the values

amunag439 — Tue, 09 Jul 2019 19:16:21 GMT

Thanks for the reply @cmerriman

Re: How to use Eval greater than, less than for a duration and Count the values

amunag439 — Tue, 09 Jul 2019 19:17:14 GMT

@tiagofbmm This is exactly what I was looking for. Thank you