- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Query optimization
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone come up with a better/faster/more elegant way of achieving this?
CALL_NAME="method-1" CALL_STATUS="CALL_ENDED"
| bucket _time span=5m
| stats count as count_1, avg(CALL_DURATION) as duration_1 by _time
| join _time [
search CALL_NAME="method-2" CALL_STATUS="CALL_ENDED"
| bucket _time span=5m
| stats count as count_2, avg(CALL_DURATION) as duration_2 by _time ]
| eval duration_D=duration_2 - duration_1
| where ( count_1 >= 5 AND duration_1 > 4000 ) OR (count_2 >= 5 AND duration_2 > 10000 ) OR (count_1 >= 5 AND count_2 >= 5 AND duration_D > 7000)
I can get the basic values with this:
CALLNAME="method-1" OR CALLNAME="method-2" CALLSTATUS="CALL_ENDED"
| timechart span=5m count(CALLDURATION) as count, avg(CALLDURATION) as duration by _time, CALLNAME
but I can't figure out how to get the 'where' logic to work with the resulting column names.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, you probably meant not to use _time in the "by" clause of the timechart command, since timechart is already by time.
If you do:
CALLNAME="method-1" OR CALLNAME="method-2" CALLSTATUS="CALL_ENDED"
| timechart span=5m count(CALLDURATION) as count, avg(CALLDURATION) as duration by CALLNAME
timechart will produce 4 columns, named "count: method-1", "duration: method-1", "count: method-2", and "duration: method-2". You can then perform the rest of the search using those fields, but to make things a bit simpler I'd first rename the fields:
CALLNAME="method-1" OR CALLNAME="method-2" CALLSTATUS="CALL_ENDED"
| timechart span=5m count(CALLDURATION) as count, avg(CALLDURATION) as duration by CALLNAME
| rename
"count: method-1" as count_1, "count: method-2" as count_2,
"duration: method-1" as duration_1, "duration: method-2" as duration_2
| eval duration_D=duration_2 - duration_1
| where ( count_1 >= 5 AND duration_1 > 4000 ) OR (count_2 >= 5 AND duration_2 > 10000 ) OR (count_1 >= 5 AND count_2 >= 5 AND duration_D > 7000)
Note that for cases where timechart isn't appropriate, you can do the same using "stats", but instead of 2 aggregation expressions you would use 4 with an "eval" condition, as follows:
stats
sum(eval(if(CALLNAME=="method-1",1,0))) as count_1,
sum(eval(if(CALLNAME=="method-2",1,0))) as count_2,
avg(eval(if(CALLNAME=="method-1",CALLDURATION,null()))) as duration_1,
avg(eval(if(CALLNAME=="method-2",CALLDURATION,null()))) as duration_2
by whatever_field
Hope this helps,
Yair Halevi (Spock)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following will do everything except for dealing with duration_D...
CALLNAME="method-1" OR CALLNAME="method-2" CALLSTATUS="CALL_ENDED"
| bucket span=5m _time
| stats count(CALLDURATION) as count, avg(CALLDURATION) as duration by _time, CALLNAME
| where count > 5
| where (CALLNAME="method-1" AND duration > 4000) OR (CALLNAME="method-2" AND duration > 10000)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, you probably meant not to use _time in the "by" clause of the timechart command, since timechart is already by time.
If you do:
CALLNAME="method-1" OR CALLNAME="method-2" CALLSTATUS="CALL_ENDED"
| timechart span=5m count(CALLDURATION) as count, avg(CALLDURATION) as duration by CALLNAME
timechart will produce 4 columns, named "count: method-1", "duration: method-1", "count: method-2", and "duration: method-2". You can then perform the rest of the search using those fields, but to make things a bit simpler I'd first rename the fields:
CALLNAME="method-1" OR CALLNAME="method-2" CALLSTATUS="CALL_ENDED"
| timechart span=5m count(CALLDURATION) as count, avg(CALLDURATION) as duration by CALLNAME
| rename
"count: method-1" as count_1, "count: method-2" as count_2,
"duration: method-1" as duration_1, "duration: method-2" as duration_2
| eval duration_D=duration_2 - duration_1
| where ( count_1 >= 5 AND duration_1 > 4000 ) OR (count_2 >= 5 AND duration_2 > 10000 ) OR (count_1 >= 5 AND count_2 >= 5 AND duration_D > 7000)
Note that for cases where timechart isn't appropriate, you can do the same using "stats", but instead of 2 aggregation expressions you would use 4 with an "eval" condition, as follows:
stats
sum(eval(if(CALLNAME=="method-1",1,0))) as count_1,
sum(eval(if(CALLNAME=="method-2",1,0))) as count_2,
avg(eval(if(CALLNAME=="method-1",CALLDURATION,null()))) as duration_1,
avg(eval(if(CALLNAME=="method-2",CALLDURATION,null()))) as duration_2
by whatever_field
Hope this helps,
Yair Halevi (Spock)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this resolved your issue, please accept the answer as correct by clicking on the check-mark to the left of the answer. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bingo! It was actually the spaces in the column names that were tripping me up. (after figuring out that I had to single quote them in the where clause...) Good call on the rename though. Make things much simpler.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
