topic Re: Response Time search with a additional calculation in Splunk Search

Response Time search with a additional calculation

denisevw — Thu, 01 May 2014 11:06:03 GMT

Hi there Splunkers

I need some assistance with a search. We are calculating the response time between transactions by taking the last event and deducting if from the first event. That all works perfectly in this search:

index="my_index* host="the_host*" sourcetype=my_sourcetype Message_Type="123" OR Message_Type="456" | rex field=_raw "\d+:\d+:\d+\.(?<MilliSeconds>\d+)" | eval calctime=(_time*1000) | eval newtime=calctime+MilliSeconds  | stats  latest(newtime) as end earliest(newtime) as begin by UUID | eval responsetime=end-begin | eval Response_Time=round(responsetime/1000,3) | stats max(Response_Time) as Response_Time  | chart first(Response_Time) as RT_Max

The challenge is to create a second scenario where, if the time exceeds 45.001 seconds (say, 54.269 or 67.598 seconds), then it should return a value of 45.000 seconds where the value still need to be calculable in the search....

I tried to use the "eval if" command but it gives and error
eval if(newtime=<"45.001", "45.000", newtime)

Any assistance will be appreciated, thanks.

Re: Response Time search with a additional calculation

richgalloway — Thu, 01 May 2014 12:09:20 GMT

If you want limit the maximum value of Response_Time, try

eval Response_Time=if(Response_Time>45,45,Response_Time)

If you want to create a new variable, try

eval newtime=if(Response_Time>45,45,Response_Time)

Re: Response Time search with a additional calculation

Ayn — Thu, 01 May 2014 13:22:00 GMT

You shouldn't be using a dot in your values there, this makes for an invalid integer. Use

... | eval newtime=if(newtime>=45001,45000,newtime)

Re: Response Time search with a additional calculation

denisevw — Fri, 02 May 2014 10:09:13 GMT

Thanks for the instant feedback.

I've added your recommendation and it worked with
eval Response_Time=if(restime>45,"45.000",restime)
just needed to rearrange some naming and it worked perfect.

Re: Response Time search with a additional calculation

richgalloway — Fri, 02 May 2014 11:28:23 GMT

Please accept the answer.

Re: Response Time search with a additional calculation

denisevw — Fri, 02 May 2014 11:28:50 GMT

A strange thing is happening here...

When I run the search, time picked for previous week, it shows different results in Verbose Mode and Fast Mode\Smart Mode.
In Verbose Mode is accurate but, in Fast Mode\Smart Mode, it is totally wrong!
When I add the search to the Dashboard (Inline or Report), it obviously saves it in the Fast Mode\Smart Mode.

What is the reason for this and how can I add "Verbose Mode" to the Inline search in the Dashboard?