Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: In pivot report setup, can the range size vary...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In pivot report setup, can the range size vary?
I'm creating a response time report via a column chart with ranges. Response times are in milliseconds. Is it possible to override the single "range size" that would be applied across the max number of ranges with an increasing range size? For example
Range 1: 0-100 MS ( range size of 100 )
Range 2: 101-500 MS ( range size of 400 )
Range 3: 501-1000 MS ( range size of 500 )
Range 4: 1001-2000 MS ( range size of 1000 )
Range 5: 2001+ MS
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a calculated field to hold your ranges:
| eval myRange=case(responsetime<=100,1, responsetime<=500,2, responsetime<=1000,3, responsetime<=2000,4, true(),5)
You could also give more descriptive names, as long as you make sure they will sort as desired...
| eval myRange=case(responsetime<=100,"Range 1: 0-100 MS", responsetime<=500,"Range 2: 101-500 MS", ...etc...)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do i add that "eval" logic to the existing pivot command?
When I open the saved report in pivot, select edit in pivot then open in search this is what I currently have:
| pivot apiUpdateResponseTimeReport RootObject count(RootObject) AS "Transaction Counts" SPLITROW responseTimeMS AS "API Add/Update/Delete response times in millseconds" RANGE max=5 SPLITCOL apiType SORT 100 responseTimeMS ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1
I've tried manipulating this just about every way to incorporate the eval command of " | eval myRange=case(responsetime<=100,1, responsetime<=500,2, responsetime<=1000,3, responsetime<=2000,4, true(),5) " but I think I'm a little of base with my approach ( still learning as I go ).
Thanks for the assistance.
-Kenny
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kbrossard - That eval is streamable, and you'd just build it into the data model definition itself at the deepest level that you'd need to use it. Presumably, responseTimeMS is built into your RootObject, and it doesn't look like you have any intermediate levels, so I'd be looking to put the new field in there. All the places that responseTimeMS is in the pivot language, you'd use the new field name, and adjust the sort and numcols accordingly.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
