https://community.splunk.com/t5/Splunk-Search/How-to-group-multiple-methods-responsetime-into-intervals-and/m-p/642758#M222625 <P>This helps. Thank you for the solution!</P> Wed, 10 May 2023 04:49:37 GMT Splunk_321 2023-05-10T04:49:37Z https://community.splunk.com/t5/Splunk-Search/How-to-group-multiple-methods-responsetime-into-intervals-and/m-p/642624#M222586 <P>Hi All,</P><P>I have a requirement where I need to group count of methods responsetime into different time intervals.</P><P>Below is what I tried&nbsp;</P><LI-CODE lang="markup">basesearch | eval ResponseTime=if(uri=="/api/auth",null(),responsetime*1000) | rex field=gwrequesturi "(?&lt;prefix&gt;\S+)/locations/(?&lt;method&gt;\w+[^/?])" | table ResponseTime method</LI-CODE><P>This is resulted in below output</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%"><STRONG>ResponseTime</STRONG></TD><TD width="50%"><STRONG>Method</STRONG></TD></TR><TR><TD width="50%">330</TD><TD width="50%">A</TD></TR><TR><TD width="50%">1627</TD><TD width="50%">B</TD></TR><TR><TD width="50%">1025</TD><TD width="50%">B</TD></TR><TR><TD>3126</TD><TD>A</TD></TR><TR><TD>2034</TD><TD>B</TD></TR><TR><TD>..........................</TD><TD>...............</TD></TR></TBODY></TABLE><P>I have two possibilities for method (Say for ex: A and B)</P><P>I want to get results something like below (Responsetime and count of each method falling in that interval)</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%"><STRONG>ResponseTime</STRONG></TD><TD width="33.333333333333336%"><STRONG>A</STRONG></TD><TD width="33.333333333333336%"><STRONG>B</STRONG></TD></TR><TR><TD width="33.333333333333336%">&lt;=1000</TD><TD width="33.333333333333336%">4</TD><TD width="33.333333333333336%">8</TD></TR><TR><TD width="33.333333333333336%">&gt;1000 and &lt;=3000</TD><TD width="33.333333333333336%">11</TD><TD width="33.333333333333336%">25</TD></TR><TR><TD width="33.333333333333336%">&gt;3000 and &lt;=5000</TD><TD width="33.333333333333336%">35</TD><TD width="33.333333333333336%">23</TD></TR><TR><TD>&gt;5000</TD><TD>2</TD><TD>4</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Can someone help me with the query!&nbsp;</P><P>Thanks in advance!</P> Tue, 09 May 2023 08:52:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-multiple-methods-responsetime-into-intervals-and/m-p/642624#M222586 Splunk_321 2023-05-09T08:52:22Z https://community.splunk.com/t5/Splunk-Search/How-to-group-multiple-methods-responsetime-into-intervals-and/m-p/642710#M222605 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/251203">@Splunk_321</a>&nbsp;- try below search:</P><LI-CODE lang="markup">basesearch | eval ResponseTime=if(uri=="/api/auth",null(),responsetime*1000) | rex field=gwrequesturi "(?&lt;prefix&gt;\S+)/locations/(?&lt;method&gt;\w+[^/?])" | table ResponseTime method | eval category=case(ResponseTime&lt;=1000,"&lt;=1000", ResponseTime&lt;=3000,"&gt;1000 and &lt;=3000", ResponseTime&lt;=5000,"&gt;3000 and &lt;=5000", ResponseTime&gt;5000,"&gt;5000") | chart count over category by Method</LI-CODE><P>&nbsp;</P><P>&nbsp;I hope this helps!!! Kindly upvote if it does!!!</P> Tue, 09 May 2023 17:13:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-multiple-methods-responsetime-into-intervals-and/m-p/642710#M222605 VatsalJagani 2023-05-09T17:13:46Z https://community.splunk.com/t5/Splunk-Search/How-to-group-multiple-methods-responsetime-into-intervals-and/m-p/642758#M222625 <P>This helps. Thank you for the solution!</P> Wed, 10 May 2023 04:49:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-multiple-methods-responsetime-into-intervals-and/m-p/642758#M222625 Splunk_321 2023-05-10T04:49:37Z