Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- response time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to put response time in three buckets. low < 1 second, medium < 2 second, high > 2 second. I would like to calculate % response time in low medium and high buckets.
The following is the query:
sourcetype="jboss" TOTAL SEARCH TIME CAREWEB | eventstats count as total |eval rp=EASYDOC_JBOSS_TIME/1000 | rangemap field=rp low=0-1.0 medium=1-2 high=2-100 | stats count by range
Eventhough I see total in the fields, I am not able to use it in the eval to calculate %
as per SLA I have to have produce a graph that shows that 99% of responsetime is less than 1 second
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try;
sourcetype="jboss" TOTAL SEARCH TIME CAREWEB
| eval rp=EASYDOC_JBOSS_TIME/1000
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100
| stats c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2)
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2)
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)
I believe that changing 'stats' for 'timechart span=1d' will give you the results you want - see below. I haven't tried it though, as I have no good sample logs available.
sourcetype="jboss" TOTAL SEARCH TIME CAREWEB
| eval rp=EASYDOC_JBOSS_TIME/1000
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100
| timechart span=1d c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2)
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2)
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian,
sourcetype="jboss" TOTAL SEARCH TIME CAREWEB
| eval rp=EASYDOC_JBOSS_TIME/1000
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100
| stats c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2)
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2)
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)
This works but how do I get this stats per day?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is also the percXX stats functions which compute the XXth percentile of a data set. This may (or equally may not) be a better approach to your measurement.
sourcetype="jboss" TOTAL SEARCH TIME CAREWEB
| eval rp=EASYDOC_JBOSS_TIME/1000
| timechart perc99(rp)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could try;
sourcetype="jboss" TOTAL SEARCH TIME CAREWEB
| eval rp=EASYDOC_JBOSS_TIME/1000
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100
| stats c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2)
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2)
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)
I believe that changing 'stats' for 'timechart span=1d' will give you the results you want - see below. I haven't tried it though, as I have no good sample logs available.
sourcetype="jboss" TOTAL SEARCH TIME CAREWEB
| eval rp=EASYDOC_JBOSS_TIME/1000
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100
| timechart span=1d c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2)
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2)
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Feel free to mark the question as answered. /k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked. Thanks you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
see update above.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian,
It works, but this gives cumulative answer. Is it possible to get it per day?
Thanks for your help
Kalpesh
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
