Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

response time

kunadkat
Explorer
‎05-14-2012 01:13 PM

I would like to put response time in three buckets. low < 1 second, medium < 2 second, high > 2 second. I would like to calculate % response time in low medium and high buckets.

The following is the query:

sourcetype="jboss" TOTAL SEARCH TIME CAREWEB | eventstats count as total |eval rp=EASYDOC_JBOSS_TIME/1000 | rangemap field=rp low=0-1.0 medium=1-2 high=2-100 | stats count by range

Eventhough I see total in the fields, I am not able to use it in the eval to calculate %

as per SLA I have to have produce a graph that shows that 99% of responsetime is less than 1 second

Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-14-2012 01:53 PM

You could try;

sourcetype="jboss" TOTAL SEARCH TIME CAREWEB 
| eval rp=EASYDOC_JBOSS_TIME/1000 
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100 
| stats c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT 
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2) 
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2) 
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)

I believe that changing 'stats' for 'timechart span=1d' will give you the results you want - see below. I haven't tried it though, as I have no good sample logs available.

sourcetype="jboss" TOTAL SEARCH TIME CAREWEB 
| eval rp=EASYDOC_JBOSS_TIME/1000 
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100 
| timechart span=1d c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT 
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2) 
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2) 
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution

kunadkat
Explorer
‎05-14-2012 09:29 PM

Kristian,

sourcetype="jboss" TOTAL SEARCH TIME CAREWEB
| eval rp=EASYDOC_JBOSS_TIME/1000
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100
| stats c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2)
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2)
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)

This works but how do I get this stats per day?

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎05-14-2012 04:22 PM

There is also the percXX stats functions which compute the XXth percentile of a data set. This may (or equally may not) be a better approach to your measurement. 

sourcetype="jboss" TOTAL SEARCH TIME CAREWEB 
| eval rp=EASYDOC_JBOSS_TIME/1000 
| timechart perc99(rp)
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-14-2012 01:53 PM

You could try;

sourcetype="jboss" TOTAL SEARCH TIME CAREWEB 
| eval rp=EASYDOC_JBOSS_TIME/1000 
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100 
| stats c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT 
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2) 
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2) 
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)

I believe that changing 'stats' for 'timechart span=1d' will give you the results you want - see below. I haven't tried it though, as I have no good sample logs available.

sourcetype="jboss" TOTAL SEARCH TIME CAREWEB 
| eval rp=EASYDOC_JBOSS_TIME/1000 
| rangemap field=rp low=0-1.0 medium=1-2 high=2-100 
| timechart span=1d c AS TOTAL c(eval(range="low")) AS OK_COUNT c(eval(range="medium")) AS NOT_OK_COUNT c(eval(range="high")) AS REALLY_BAD_COUNT 
| eval SLA_OK_PERC = round((OK_COUNT / TOTAL *100),2) 
| eval SLA_BAD_PERC = round((NOT_OK_COUNT / TOTAL * 100), 2) 
| eval SLA_DISASTER_PERC = round((REALLY_BAD_COUNT / TOTAL *100),2)

Hope this helps,

Kristian

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-21-2012 02:03 AM

Feel free to mark the question as answered. /k

0 Karma
Reply
Solved! Jump to solution

kunadkat
Explorer
‎05-18-2012 06:43 AM

Worked. Thanks you very much

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-15-2012 08:06 AM

see update above.

/k

0 Karma
Reply
Solved! Jump to solution

kunadkat
Explorer
‎05-14-2012 09:31 PM

Kristian,

It works, but this gives cumulative answer. Is it possible to get it per day?

Thanks for your help
Kalpesh

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...