- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do we get the volume of txns that took bet...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is my query Sample:
index=X service_name=XY request_host=XYZ | rex field=_raw "FId=(?<fi>\d+)" | rex field=request_route "^(?<route>.*)\?" | rex field=_id "^(?<route>.*)\?" | eval eTime = total_time | lookup FI_Name-ICA.csv ICA AS fi OUTPUT FI as fi | stats count(total_time) as TotalCalls, max(eTime) AS MaxTime, avg(eTime) as AvgTime, min(eTime) as MinTime,p90(total_time) as P90Time,p95(total_time) as P95Time by fi route | sort route, -count | table fi, route, TotalCalls,MaxTime,MinTime,P90Time,P95Time,AvgTime | sort by fi
I am trying to add columns for calls that took between 0 to 3 seconds 3 to 5 and > 8 seconds ???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=XXX service_name=YYY request_host=ZZZ | rex field=_raw "AAA" | rex field=request_route "^(?<route>.*)\?" | rex field=_id "^(?<route>.*)\?" | eval pTime = total_time | eval TimeFrames = case(pTime<=1000, "0-1", pTime>1000 AND pTime<=3000, "1-3", pTime>3000 AND pTime<=5000, "3-5", pTime>5000 AND pTime<=8000, "5-8", pTime>8000, ">8") | stats count as CallVolume by route, TimeFrames | eventstats sum(CallVolume) as Total by route | eval Percentage=(CallVolume/Total)*100 | sort by route, -CallVolume | fields route,CallVolume,TimeFrames,Percentage | chart values(CallVolume) over route by TimeFrames | sort -TimeFrames
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=XXX service_name=YYY request_host=ZZZ | rex field=_raw "AAA" | rex field=request_route "^(?<route>.*)\?" | rex field=_id "^(?<route>.*)\?" | eval pTime = total_time | eval TimeFrames = case(pTime<=1000, "0-1", pTime>1000 AND pTime<=3000, "1-3", pTime>3000 AND pTime<=5000, "3-5", pTime>5000 AND pTime<=8000, "5-8", pTime>8000, ">8") | stats count as CallVolume by route, TimeFrames | eventstats sum(CallVolume) as Total by route | eval Percentage=(CallVolume/Total)*100 | sort by route, -CallVolume | fields route,CallVolume,TimeFrames,Percentage | chart values(CallVolume) over route by TimeFrames | sort -TimeFrames
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this does what you want.
index=X service_name=XY request_host=XYZ
| rex field=_raw "FId=(?<fi>\d+)"
| rex field=request_route "^(?<route>.*)\?"
| rex field=_id "^(?<route>.*)\?"
| eval eTime = total_time
| lookup FI_Name-ICA.csv ICA AS fi OUTPUT FI as fi
| stats count(total_time) as TotalCalls, max(eTime) AS MaxTime, avg(eTime) as AvgTime, min(eTime) as MinTime,p90(total_time) as P90Time,p95(total_time) as P95Time, sum(eval(eTime<=3)) as Short, sum(eval((eTime>3) AND (eTime<=8))) as Medium, sum(eval(eTime>8)) as Long by fi route
| sort route, -count
| table fi, route, TotalCalls,MaxTime,MinTime,P90Time,P95Time,AvgTime,Short,Medium,Long
| sort by fiIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This didnt work, but i was able to do some research and get an answer to my question. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share and accept your solution so others might benefit.
If this reply helps you, Karma would be appreciated.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
