https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20393#M3178 <P>try "| chart count(_raw) by duration span=log2", does it do the trick? BTW, it should work with "| bucket duration span=log2" but I'm getting an exception, I'm sending a bug report</P> Mon, 26 Jul 2010 22:09:32 GMT hbazan 2010-07-26T22:09:32Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20392#M3177 <P>I'd like to be able to provide a chart that divides data into sets (buckets) of different sizes.</P> <P>The underlying search returns a large number of transactions, and we are interested in tracking those with abnormally long durations. To do this, we hoped to somehow be able to divide the durations into "human-useful" buckets like 0-20ms, 20-40ms, 40-60ms, 80-100ms, 100-200ms, 200ms+ (note these buckets are not all the same size, and one doesn't even have an upper extent).</P> <P>I have tried using a postprocessing command "| chart count(_raw) by duration span=20ms", but of course this this results in a large number of ranges up to the longest durations, most of which have nothing in them.</P> <P>Is there a builtin way to specify all of the bucket extents, or if not, use a combination of postprocessing commands to work this out?</P> Mon, 26 Jul 2010 21:42:06 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20392#M3177 Glenn 2010-07-26T21:42:06Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20393#M3178 <P>try "| chart count(_raw) by duration span=log2", does it do the trick? BTW, it should work with "| bucket duration span=log2" but I'm getting an exception, I'm sending a bug report</P> Mon, 26 Jul 2010 22:09:32 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20393#M3178 hbazan 2010-07-26T22:09:32Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20394#M3179 <P>You can certainly compute your own bucket sizes using the eval command. For example, in your case you would search:</P> <PRE><CODE>... | eval duration_group = case(duration &lt; 20, "0-20 ms", duration &lt; 40, "20-40 ms", duration &lt; 60, "40-60 ms", duration &lt; 80, "60-80 ms", duration &lt; 100, "80-100 ms", duration &lt; 200, "100-200 ms", 1==1, "&gt;200 ms") | chart count by duration_group </CODE></PRE> Mon, 26 Jul 2010 23:14:33 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20394#M3179 Stephen_Sorkin 2010-07-26T23:14:33Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20395#M3180 <P>Using the rangemap command is an option as well:</P> <PRE><CODE>... | rangemap field=duration "0-20ms"=0-20 "20-40ms"=20-40 "40-60ms"=40-60 "60-80ms"=60-80 "80-100ms"=80-100 "100-200ms"=100-200 default="200ms+" | stats count by range </CODE></PRE> Tue, 27 Jul 2010 00:14:38 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20395#M3180 ziegfried 2010-07-27T00:14:38Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20396#M3181 <P>Here in this case difference inn range is 0-20,20-40,40-60 if it has different ranges like 0-40,40-60,60-90 <BR /> How to write a query for that ?</P> Thu, 14 Sep 2017 09:11:35 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-divide-results-into-buckets-of-varying-sizes/m-p/20396#M3181 srikarbaswa446 2017-09-14T09:11:35Z